I'm wrong. Reviewing SecurityPolicy (2.0.13 + 1.2.4) at

https://www.openssl.org/docs/fips/ - using FIPS_mode_set(1) for revalidation
was actually expressly called out in section 3. While mod_ssl is 'unloaded'
(unconfigured) the process is not operating in a fips validated manner, but
once the configuration resets FIPS_mode_set(1) it resumes validated behavior.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1788258 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/STATUS b/STATUS
index 52cf0735c5a4e18433b51a7d8dbc13d0d82c375f..70a768f13e8bc5be19585b2990bb5499b78e1981 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -172,11 +172,7 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
                   http://svn.apache.org/r1781190
                   http://svn.apache.org/r1781312
      2.4.x patch: http://home.apache.org/~ylavic/patches/httpd-2.4.x-mod_ssl-restart_leaks-v2.patch
-     +1: ylavic, jim
-     -1: wrowe - FIPS_mode_set(0) breaks FIPS policy and should be a noop, AIUI?
-         (FIPS_mod_set(1) is per-process, but if openssl has been unloaded,
-          unloaded, then it is obviously repeated on reload. Perhaps dodge the
-          second mode set with linked-in mod_ssl?)
+     +1: ylavic, jim, wrowe
 
   *) mod_proxy_hcheck: Don't validate timed out responses.
      trunk patch: http://svn.apache.org/r1779574