https://bz.apache.org/bugzilla/show_bug.cgi?id=64614
Mark Thomas changed:
What|Removed |Added
Resolution|--- |FIXED
Status|NEW
https://bz.apache.org/bugzilla/show_bug.cgi?id=64614
--- Comment #14 from jfclere ---
https://github.com/apache/tomcat/pull/334 as the best I can get ;-)
--
You are receiving this mail because:
You are the assignee for the bug.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64614
--- Comment #13 from jfclere ---
Something like no alias no wrapping and alias and FIPS warning and no wrapping?
--
You are receiving this mail because:
You are the assignee for the bug.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64614
--- Comment #12 from Christopher Schultz ---
Aren't we just "always wrapping" because it was simpler than only wrapping when
necessary? Why don't we "only" wrap when we must? I think the wrapper is only
for certain scenarios. Why not detect
https://bz.apache.org/bugzilla/show_bug.cgi?id=64614
jfclere changed:
What|Removed |Added
Attachment #37364|0 |1
is obsolete|
https://bz.apache.org/bugzilla/show_bug.cgi?id=64614
--- Comment #10 from jfclere ---
kmf.getProvider().getInfo() also gives
"Sun JSSE provider (FIPS mode, crypto provider SunPKCS11-NSSfips"
so indexOf("FIPS") != -1 would also work there.
--
You are receiving this mail because:
You are the
https://bz.apache.org/bugzilla/show_bug.cgi?id=64614
--- Comment #9 from Remy Maucherat ---
(In reply to Christopher Schultz from comment #8)
> Seems like an awful hack.
>
> Perhaps instead we should have a configuration attribute like
> dontWrapKeyManager="true|false" and them simply do not
https://bz.apache.org/bugzilla/show_bug.cgi?id=64614
--- Comment #8 from Christopher Schultz ---
Seems like an awful hack.
Perhaps instead we should have a configuration attribute like
dontWrapKeyManager="true|false" and them simply do not wrap in the first place.
Or is the wrapping required
https://bz.apache.org/bugzilla/show_bug.cgi?id=64614
--- Comment #7 from jfclere ---
Created attachment 37367
--> https://bz.apache.org/bugzilla/attachment.cgi?id=37367=edit
improved? patch.
Check for FIPS to prevent regressions...
--
You are receiving this mail because:
You are the
https://bz.apache.org/bugzilla/show_bug.cgi?id=64614
--- Comment #6 from jfclere ---
Note the ciphers list is needed for FIPS.
--
You are receiving this mail because:
You are the assignee for the bug.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64614
--- Comment #5 from jfclere ---
I need to investigate a little I will come with a better patch later this week.
--
You are receiving this mail because:
You are the assignee for the bug.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64614
--- Comment #4 from Remy Maucherat ---
Yes, it would prevent using a key alias, which was the only reason for the
wrapper. So I get FIPS mode prevents creative key manager uses then ?
Idea: maybe don't use a wrapper if there's no key alias
https://bz.apache.org/bugzilla/show_bug.cgi?id=64614
--- Comment #3 from Mark Thomas ---
Doesn't the patch defeat the point of using Tomcat's JSSEKeyManager thereby
breaking the use cases that required it in the first place?
--
You are receiving this mail because:
You are the assignee for the
https://bz.apache.org/bugzilla/show_bug.cgi?id=64614
jfclere changed:
What|Removed |Added
CC||jfcl...@gmail.com
--- Comment #2 from
https://bz.apache.org/bugzilla/show_bug.cgi?id=64614
--- Comment #1 from jfclere ---
To configure I did the following:
modutil -create -dbdir /home/jfclere/db
touch /home/jfclere/db/secmod.db (for what?).
modutil -fips true -dbdir /home/jfclere/db
modutil -list -dbdir /home/jfclere/db (looks
15 matches
Mail list logo
