tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: svn commit: r1199980 - in /tomcat/trunk/java/org/apache: catalina/core/AprLifecycleListener.java catalina/core/LocalStrings.properties tomcat/jni/SSL.java
Date Wed, 09 Nov 2011 23:39:19 GMT
2011/11/10 Christopher Schultz <chris@christopherschultz.net>:
>>
>> There is java.lang.UnsatisfiedLinkError (and not the
>> IllegalStateException that the code throws).
>>
>> Despite this error, Tomcat startup sequence continues.
>>
>> I guess that from FIPS PoV the failure to initialize FIPS mode should
>> be more fatal, regardless of its cause.
>> Be it because of native lib returning error code or this tc-native
>> version mismatch.
>> Maybe even throw an error if SSLEngine was not "on". Now it just
>> causes the FIPS mode to be ignored.
>>
>> I do not know why UnsatisfiedLinkError error was not enough to break it.
>
> Because the AprLifecycleListener's code looks like this:
>
>        if (Lifecycle.BEFORE_INIT_EVENT.equals(event.getType())) {
>            synchronized (lock) {
>                init();
>                if (aprAvailable) {
>                    try {
>                        initializeSSL();
>                    } catch (Throwable t) {
>                        ExceptionUtils.handleThrowable(t);
>                        log.error(sm.getString("aprListener.sslInit"), t);
>                    }
>                }
>            }
>
>
> The error is caught, logged, and execution continues.
>
> I did not feel that this was an appropriate patch to include changes to
> exception handling within the AprLivecycleListener.
>

Maybe add explicit FIPS mode status check below the above error
handling? Something like:

if ("on".equalsIgnoreCase(FIPSMode) && !fipsModeActive) {
  fail fatally;
}

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message