From 629dab8ca3f784ab724d25ba4f3ea6b0ac824c4e Mon Sep 17 00:00:00 2001 From: "William A. Rowe Jr" Date: Thu, 23 Mar 2017 14:50:56 +0000 Subject: [PATCH] I'm wrong. Reviewing SecurityPolicy (2.0.13 + 1.2.4) at https://www.openssl.org/docs/fips/ - using FIPS_mode_set(1) for revalidation was actually expressly called out in section 3. While mod_ssl is 'unloaded' (unconfigured) the process is not operating in a fips validated manner, but once the configuration resets FIPS_mode_set(1) it resumes validated behavior. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1788258 13f79535-47bb-0310-9956-ffa450edef68 --- STATUS | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/STATUS b/STATUS index 52cf0735c5..70a768f13e 100644 --- a/STATUS +++ b/STATUS @@ -172,11 +172,7 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK: http://svn.apache.org/r1781190 http://svn.apache.org/r1781312 2.4.x patch: http://home.apache.org/~ylavic/patches/httpd-2.4.x-mod_ssl-restart_leaks-v2.patch - +1: ylavic, jim - -1: wrowe - FIPS_mode_set(0) breaks FIPS policy and should be a noop, AIUI? - (FIPS_mod_set(1) is per-process, but if openssl has been unloaded, - unloaded, then it is obviously repeated on reload. Perhaps dodge the - second mode set with linked-in mod_ssl?) + +1: ylavic, jim, wrowe *) mod_proxy_hcheck: Don't validate timed out responses. trunk patch: http://svn.apache.org/r1779574 -- 2.50.1