Konstantin, Don't want to be putting words in Chris's mouth, but when I filed 56027 I did some poking around in the underlying openSSL code (at least on my RHEL6 box). Calling the openssl FIPS_mode_set() method twice causes an error. I'd proposed exposing an additional routine to check the current status and quietly skip calling FIPS_mode_set() if we were already in FIPS mode.
-Rob ________________________________________ From: Konstantin Kolinko [knst.koli...@gmail.com] Sent: Tuesday, March 18, 2014 4:11 PM To: Tomcat Developers List Subject: Re: Time for 8.0.4 2014-03-18 23:46 GMT+04:00 Christopher Schultz <ch...@christopherschultz.net>: > Mark, > > On 3/17/14, 8:19 AM, Mark Thomas wrote: >> It has been a while since 8.0.3 and the change log is looking rather >> long. I've a few things left I want to look at but I expect to be in a >> position to tag 8.0.4 late today / early tomorrow. > > Any objections to adding the fix for > https://issues.apache.org/bugzilla/show_bug.cgi?id=56027, now that there > has been a tcnative release? > > I needed a tcnative release to include some support code to allow the > APR listener to allow FIPS mode when OpenSSL had already been > initialized in FIPS mode before the APR listener tries to enter it. > (Wow, that sentence is awful. Read the bug for a long-winded explanation). > According to tc-native changelog, the new function you are calling there will be in 1.1.30. The recent release was of mod_jk, not of tc-native. (BTW, no announcement article on tomcat.a.o). Thus '-1'. Regarding the patch: 1) Why in the "on" case you are calling "SSL.fipsModeGet()"? If you hadn't done that, I think it would work with older library versions. 2) In documentation part: update required version of tc-native in description of this feature. 3) Update "recommended"/"required" versions in APRLifecycleListener? 4) Code style: position of opening '{'. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
