Mark, On 11/9/11 2:12 PM, Mark Thomas wrote: > What happens if I try this with 1.1.22?
Here is the behavior under various circumstances:
1.1.23, openssl-fips, FIPSMode!="on" : regular startup
1.1.23, openssl-fips, FIPSMode="on" : enter FIPS mode
1.1.23, openssl, FIPSMode!="on" : regular startup
1.1.23, openssl, FIPSMode="on", error:
java.lang.Exception: FIPS was not available to tcnative at build
time. You will need to re-build tcnative against an OpenSSL with
FIPS.
1.1.22, any combination: UnsatisfiedLinkError followed by SSL connector
configuration NOT in FIPS mode :(
Honestly, I am surprised that the Connector comes up when
AprLifecycleListener fails to set sslAvailable = true. I think I might
need to shut-down the SSL engine if there are any errors coming back
from setFIPSMode.
I think I might also want to set sslInitialized = true *after* all of
the initialization has actually occurred: AprLifecycleListener is/was
setting sslInitialized=true *before* any initialization actually occurs.
I see several ways to move forward, here, not necessarily mutually
exclusive:
1. terminate SSL on FIPS error
2. set sslInitialized after initialization is complete (including
FIPS), not before
3. set error state in SSL class to prevent connectors from using
an improperly-initialized SSL environment
Comments?
-chris
signature.asc
Description: OpenPGP digital signature
