Commit 66e9600d authored by William A. Rowe Jr's avatar William A. Rowe Jr
Browse files

I'm wrong. Reviewing SecurityPolicy (2.0.13 + 1.2.4) at 

https://www.openssl.org/docs/fips/ - using FIPS_mode_set(1) for revalidation
was actually expressly called out in section 3. While mod_ssl is 'unloaded'
(unconfigured) the process is not operating in a fips validated manner, but
once the configuration resets FIPS_mode_set(1) it resumes validated behavior.




git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1788258 13f79535-47bb-0310-9956-ffa450edef68
parent 76241f86

STATUS

+1 −5
Original line number Diff line number Diff line
@@ -172,11 +172,7 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK: 
                  http://svn.apache.org/r1781190

                  http://svn.apache.org/r1781312

     2.4.x patch: http://home.apache.org/~ylavic/patches/httpd-2.4.x-mod_ssl-restart_leaks-v2.patch

     +1: ylavic, jim

     -1: wrowe - FIPS_mode_set(0) breaks FIPS policy and should be a noop, AIUI?

         (FIPS_mod_set(1) is per-process, but if openssl has been unloaded,

          unloaded, then it is obviously repeated on reload. Perhaps dodge the

          second mode set with linked-in mod_ssl?)

     +1: ylavic, jim, wrowe



  *) mod_proxy_hcheck: Don't validate timed out responses.

     trunk patch: http://svn.apache.org/r1779574