Commit d9f2c7df authored by Stefan Eissing's avatar Stefan Eissing
Browse files

Merge of r1853133,r1853166 from trunk: 

mod_ssl: Don't unset FIPS mode on restart unless it's forced by
     configuration (SSLFIPS on) and not active by default in OpenSSL. PR 63136.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1853197 13f79535-47bb-0310-9956-ffa450edef68
parent 18135911

CHANGES

+3 −1
Original line number Original line Diff line number Diff line 
                                                         -*- coding: utf-8 -*-

                                                         -*- coding: utf-8 -*-

Changes with Apache 2.4.39

Changes with Apache 2.4.39





Changes with Apache 2.4.38

  *) mod_ssl: Don't unset FIPS mode on restart unless it's forced by

     configuration (SSLFIPS on) and not active by default in OpenSSL.

     PR 63136. [Yann Ylavic]





  *) SECURITY: CVE-2018-17199 (cve.mitre.org)

  *) SECURITY: CVE-2018-17199 (cve.mitre.org)

     mod_session: mod_session_cookie does not respect expiry time allowing

     mod_session: mod_session_cookie does not respect expiry time allowing

modules/ssl/mod_ssl.c

+0 −3
Original line number Original line Diff line number Diff line
@@ -331,9 +331,6 @@ static apr_status_t ssl_cleanup_pre_config(void *data) 
    /*

    /*

     * Try to kill the internals of the SSL library.

     * Try to kill the internals of the SSL library.

     */

     */

#ifdef HAVE_FIPS

    FIPS_mode_set(0);

#endif

    /* Corresponds to OBJ_create()s */

    /* Corresponds to OBJ_create()s */

    OBJ_cleanup();

    OBJ_cleanup();

    /* Corresponds to OPENSSL_load_builtin_modules() */

    /* Corresponds to OPENSSL_load_builtin_modules() */

modules/ssl/ssl_engine_init.c

+11 −1
Original line number Original line Diff line number Diff line
@@ -183,6 +183,14 @@ int ssl_is_challenge(conn_rec *c, const char *servername, 
    return 0;

    return 0;

}

}





#ifdef HAVE_FIPS

static apr_status_t modssl_fips_cleanup(void *data)

{

    FIPS_mode_set(0);

    return APR_SUCCESS;

}

#endif



/*

/*

 *  Per-module initialization

 *  Per-module initialization

 */

 */
@@ -316,6 +324,8 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, 
            if (FIPS_mode_set(1)) {

            if (FIPS_mode_set(1)) {

                ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, APLOGNO(01884)

                ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, APLOGNO(01884)

                             "Operating in SSL FIPS mode");

                             "Operating in SSL FIPS mode");

                apr_pool_cleanup_register(p, NULL, modssl_fips_cleanup,

                                          apr_pool_cleanup_null);

            }

            }

            else {

            else {

                ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01885) "FIPS mode failed");

                ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01885) "FIPS mode failed");