Konstantin, On 4/15/14, 1:21 PM, Konstantin Kolinko wrote: > 2014-04-15 5:14 GMT+04:00 <schu...@apache.org>: >> Author: schultz >> Date: Tue Apr 15 01:14:40 2014 >> New Revision: 1587379 >> >> URL: http://svn.apache.org/r1587379 >> Log: >> Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 >> Add more nuanced support for entering/requiring FIPS mode when using APR >> connector. >> >> Modified: >> tomcat/trunk/java/org/apache/catalina/core/AprLifecycleListener.java >> tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties >> tomcat/trunk/java/org/apache/tomcat/jni/SSL.java >> tomcat/trunk/webapps/docs/config/listeners.xml >> > > (...) > >> Modified: tomcat/trunk/webapps/docs/config/listeners.xml >> URL: >> http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/listeners.xml?rev=1587379&r1=1587378&r2=1587379&view=diff >> ============================================================================== >> --- tomcat/trunk/webapps/docs/config/listeners.xml (original) >> +++ tomcat/trunk/webapps/docs/config/listeners.xml Tue Apr 15 01:14:40 2014 >> @@ -112,12 +112,22 @@ >> </attribute> >> >> <attribute name="FIPSMode" required="false"> >> - <p>Set to <code>on</code> to instruct OpenSSL to go into FIPS mode. >> + <p>Set to <code>on</code> to request that OpenSSL be in FIPS mode >> + (if OpenSSL is already in FIPS mode, it will remain in FIPS mode). >> + Set to <code>enter</code> to force OpenSSL to enter FIPS mode (an >> error >> + will occur if OpenSSL is already in FIPS mode). >> + Set to <code>require</code> to require that OpenSSL <i>already</i> >> be >> + in FIPS mode (an error will occur if OpenSSL is not already in FIPS >> + mode). >> FIPS mode <em>requires you to have a FIPS-capable OpenSSL library >> which >> you must build yourself</em>. >> - FIPS mode also requires Tomcat native library version 1.1.23 or >> later, >> - which <em>must be built against the FIPS-compatible OpenSSL</em> >> library. >> - If this attribute is "on", <b>SSLEngine</b> must be enabled as well. >> + <code>FIPSMode="on"</code> or <code>FIPSMode="require"</code> >> requires >> + Tomcat native library version 1.1.30 or later, while > > The text below makes no sense. > As you changed TCN_REQUIRED_PATCH in r1587378 to require 1.1.30, > Tomcat will refuse to load older versions of TCNative. > >> + <code>FIPSMode="enter"</code> can probably be done with Tomcat >> native >> + library version 1.2.23 or later -- either of which <em>must be built >> + against the FIPS-compatible OpenSSL</em> library. >> + If this attribute is set to any of the above values, >> <b>SSLEngine</b> >> + must be enabled as well for any effect. >> The default value is <code>off</code>.</p> >> </attribute>
I'll remove that comment. > Changelog entry for this change and for r1587378 = where? Lost in the circular-reasoning behind not modifying the changelog for Tomcat 8 but Tomcat 8 being semi-released at this point. I'll make these fixes in a new patch in the next few minutes. Thanks, -chris
signature.asc
Description: OpenPGP digital signature
