Hi,
On Wed, Feb 10, 2016 at 11:14 PM, Christopher Schultz
<chris@xxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> To those down and dirty with httpd: is there a reason not to
> UNCONDITIONALLY build against OpenSSL's FIPS_mode_set? If the library
> doesn't support FIPS mode, it will complain about it and refuse to
> enter FIPS mode. The httpd code already handles this in
> mobules/ssl/ssl_engine_init.c:
>
>> #ifdef HAVE_FIPS if(sc->fips) { if (!FIPS_mode()) { if
>> (FIPS_mode_set(1)) { ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s,
>> APLOGNO(01884) "Operating in SSL FIPS mode"); } else {
>> ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01885) "FIPS
>> mode failed"); ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
>> return ssl_die(s); } } } else { ap_log_error(APLOG_MARK,
>> APLOG_DEBUG, 0, s, APLOGNO(01886) "SSL FIPS mode disabled"); }
>> #endif
>
> I don't see a compelling reason to have all the #ifdef HAVE_FIPS
> conditionals all over the place.
OPENSSL_FIPS is something defined by OpenSSL when FIPS has been ./config-ured.
Apache httpd should be run against an OpenSSL version ABI-compatible
with the one it was compiled with, whereas FIPS vs non-FIPS OpenSSLs
are possibly not ABI-compatible...
Regards,
Yann.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|