Konstantin, On 11/9/11 3:39 PM, Konstantin Kolinko wrote: > 2011/11/10 Christopher Schultz <ch...@christopherschultz.net>: >>> >>> There is java.lang.UnsatisfiedLinkError (and not the >>> IllegalStateException that the code throws). >>> >>> Despite this error, Tomcat startup sequence continues. >>> >>> I guess that from FIPS PoV the failure to initialize FIPS mode should >>> be more fatal, regardless of its cause. >>> Be it because of native lib returning error code or this tc-native >>> version mismatch. >>> Maybe even throw an error if SSLEngine was not "on". Now it just >>> causes the FIPS mode to be ignored. >>> >>> I do not know why UnsatisfiedLinkError error was not enough to break it. >> >> Because the AprLifecycleListener's code looks like this: >> >> if (Lifecycle.BEFORE_INIT_EVENT.equals(event.getType())) { >> synchronized (lock) { >> init(); >> if (aprAvailable) { >> try { >> initializeSSL(); >> } catch (Throwable t) { >> ExceptionUtils.handleThrowable(t); >> log.error(sm.getString("aprListener.sslInit"), t); >> } >> } >> } >> >> >> The error is caught, logged, and execution continues. >> >> I did not feel that this was an appropriate patch to include changes to >> exception handling within the AprLivecycleListener. >> > > Maybe add explicit FIPS mode status check below the above error > handling? Something like: > > if ("on".equalsIgnoreCase(FIPSMode) && !fipsModeActive) { > fail fatally; > }
I could certainly do that, but I figured that the listener was written such that it would not fail. I didn't want to alter that behavior just to add FIPS support. -chris
signature.asc
Description: OpenPGP digital signature