tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: svn commit: r1199980 - in /tomcat/trunk/java/org/apache: catalina/core/ catalina/core/ tomcat/jni/
Date Thu, 10 Nov 2011 00:32:41 GMT

On 11/9/11 2:12 PM, Mark Thomas wrote:
> What happens if I try this with 1.1.22?

Here is the behavior under various circumstances:

1.1.23, openssl-fips, FIPSMode!="on" : regular startup
1.1.23, openssl-fips, FIPSMode="on" : enter FIPS mode
1.1.23, openssl, FIPSMode!="on" : regular startup
1.1.23, openssl, FIPSMode="on", error:
   java.lang.Exception: FIPS was not available to tcnative at build
   time. You will need to re-build tcnative against an OpenSSL with
1.1.22, any combination: UnsatisfiedLinkError followed by SSL connector
        configuration NOT in FIPS mode :(

Honestly, I am surprised that the Connector comes up when
AprLifecycleListener fails to set sslAvailable = true. I think I might
need to shut-down the SSL engine if there are any errors coming back
from setFIPSMode.

I think I might also want to set sslInitialized = true *after* all of
the initialization has actually occurred: AprLifecycleListener is/was
setting sslInitialized=true *before* any initialization actually occurs.

I see several ways to move forward, here, not necessarily mutually

1. terminate SSL on FIPS error
2. set sslInitialized after initialization is complete (including
   FIPS), not before
3. set error state in SSL class to prevent connectors from using
   an improperly-initialized SSL environment



View raw message