Return-Path: 
 <dev-return-149280-apmail-tomcat-dev-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-dev-archive@www.apache.org
Delivered-To: apmail-tomcat-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 326BD11F64
	for <apmail-tomcat-dev-archive@www.apache.org>;
 Wed, 16 Apr 2014 18:50:34 +0000 (UTC)
Received: (qmail 84231 invoked by uid 500); 16 Apr 2014 18:50:31 -0000
Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org
Received: (qmail 84160 invoked by uid 500); 16 Apr 2014 18:50:31 -0000
Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@tomcat.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@tomcat.apache.org>
List-Post: <mailto:dev@tomcat.apache.org>
List-Id: <dev.tomcat.apache.org>
Reply-To: "Tomcat Developers List" <dev@tomcat.apache.org>
Delivered-To: mailing list dev@tomcat.apache.org
Received: (qmail 84151 invoked by uid 99); 16 Apr 2014 18:50:31 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 16 Apr 2014 18:50:31 +0000
X-ASF-Spam-Status: No, hits=-0.0 required=5.0
	tests=RCVD_IN_DNSWL_NONE,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: local policy includes SPF record at
 spf.trusted-forwarder.org)
Received: from [76.96.59.228] (HELO qmta15.westchester.pa.mail.comcast.net)
 (76.96.59.228)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 16 Apr 2014 18:50:23 +0000
Received: from omta18.westchester.pa.mail.comcast.net ([76.96.62.90])
	by qmta15.westchester.pa.mail.comcast.net with comcast
	id qbgP1n0021wpRvQ5Fiq2xy; Wed, 16 Apr 2014 18:50:02 +0000
Received: from Christophers-MacBook-Pro.local ([69.250.127.93])
	by omta18.westchester.pa.mail.comcast.net with comcast
	id qiq21n00K212MAV3eiq21g; Wed, 16 Apr 2014 18:50:02 +0000
Message-ID: <534ED0D9.9020007@christopherschultz.net>
Date: Wed, 16 Apr 2014 14:50:01 -0400
From: Christopher Schultz <chris@christopherschultz.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9;
 rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: Tomcat Developers List <dev@tomcat.apache.org>
Subject: Re: svn commit: r1587896 - in /tomcat/native/branches/1.1.x:
 native/src/ssl.c
 xdocs/miscellaneous/changelog.xml
References: <20140416125217.13037238889B@eris.apache.org>
In-Reply-To: <20140416125217.13037238889B@eris.apache.org>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="tXm3C3368NGpgF09LwidbdNgPPcIRJoWr"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net;
	s=q20140121; t=1397674202;
	bh=hRWkdp1b6kUA63YX5JB9T0AX/jenlnv5Q3vMUrfY6vY=;
	h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject:
	 Content-Type;
	b=nvLmk6mRqX26FP5UphPm3plZ30Gt0qdrl8GWqPsHvfnOSsBjGEZaQKoWtHc10U0+T
	 a9NmDfysLh+ly9/MziXi3wWDlM1JxfiCIJG5q7IE2DpO7SNVTuSGR+codm3ON3zWan
	 oX/cf1MHFJWm9GuWuGfzWvWHIHr16sZAHZ1QOpNQPb2JI0C0QS30OThdYbKRnjT04/
	 0tQG3P9Latt+YPEmYy3lRTOlAivm7gxvAefSqXHWalnuuAOyRdoqUF36F0Q0Jm5tL0
	 FIR2zXcVmJ0bGJd8dA3xF2PApZOD5jl7YVp3w0whNZeTv05Vi+iadLAgg4cd69WcoP
	 xod2EW2hNFKxg==
X-Virus-Checked: Checked by ClamAV on apache.org

--tXm3C3368NGpgF09LwidbdNgPPcIRJoWr
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Mladen,

On 4/16/14, 8:52 AM, mturk@apache.org wrote:
> Author: mturk
> Date: Wed Apr 16 12:52:16 2014
> New Revision: 1587896
>=20
> URL: http://svn.apache.org/r1587896
> Log:
> Fix Bz56396. Be tolerant on RSA keys < 1024 bits
>=20
> Modified:
>     tomcat/native/branches/1.1.x/native/src/ssl.c
>     tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml
>=20
> Modified: tomcat/native/branches/1.1.x/native/src/ssl.c
> URL: http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/native/s=
rc/ssl.c?rev=3D1587896&r1=3D1587895&r2=3D1587896&view=3Ddiff
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
> --- tomcat/native/branches/1.1.x/native/src/ssl.c (original)
> +++ tomcat/native/branches/1.1.x/native/src/ssl.c Wed Apr 16 12:52:16 2=
014
> @@ -221,6 +221,14 @@ static const jint supported_ssl_opts =3D 0
> =20
>  static int ssl_tmp_key_init_rsa(int bits, int idx)
>  {
> +#ifdef OPENSSL_FIPS
> +    /**
> +     * With FIPS mode short RSA keys cannot be
> +     * generated.
> +     */
> +    if (bits < 1024)
> +        return 0;
> +#endif

Why not fix this by removing the actual call to
ssl_tmp_key_init_rsa(512) instead of modifying the behavior of the functi=
on?

-chris


--tXm3C3368NGpgF09LwidbdNgPPcIRJoWr
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTTtDZAAoJEBzwKT+lPKRYLdUP+weMOkyilSCNSRFd21Eir25F
GhuwG1Fu9WV8j3IlockzOKQaF3Hi8jGAZyndUWN7Z+LoHbEnjYyW4zk9/uXY6Sbx
tOLVSHbNoAunsV7KtIWBCQLkC2//A8LbySbp0x6AQ3Gl3iyMXwkK/woOopnxszxf
RXZjpI+l5gtnMNjl9TCb6ixMNAYQaSCqGmgdyt8cdvDaASCKrKuJH6t4MSTqYSib
bqqXY2nRjnob6WtWRj3J+chFixTVxou/Tsd1p8xINywBASkZDk0YK18XaRCE2oVf
EcIuSx5TG61iUuMgyKcYOAO1ZDpG3saVfEeN2bKb51XGZ4oajU3D+XCiGDv807sV
nxZaQhASooDj+5+wFzplNxneda5vxdf61WO9+2htCZvf8I5+mIC8wbyPD4Q0q/+a
zE1YDBZ6hS2DPhIZZrCpg8p0gDTv48/80TwIt3CeFI5l0XX4Ohjz68FNu6SnauHP
knT/+j58Yuvtae+j1G9bk+pT58DaCFcj/t53eHSJ6FXbtmVQUBA2MZogtdWaxbn5
Ss4tra/78COPFAYSrfPApqflC9Fpslbt5fpxjrOhBWZ2LKJzQWDkACKZjgVuGmRg
7Q0Cpr6A7tcdebr4hQHaLrZX081etljCb/QEX2hxVfePOdQWFJ2HYhVbO4wx7xRp
WSe4O4yeuFwYvkUCFApR
=5Kc7
-----END PGP SIGNATURE-----

--tXm3C3368NGpgF09LwidbdNgPPcIRJoWr--