On Wed, May 12, 2021 at 02:25:42PM +0200, pgajdos wrote: > Hello, > > I have a question regarding the logic around SSLFIPS on/off. After > https://svn.apache.org/viewvc?view=revision&revision=1853197 > I think SSLFIPS off will not work as expected. ... > In case sc->fips is FALSE (SSLFIPS off or not set), the > FIPS_mode_set() is not called at all and the fips mode is untouched. > If I understand correctly, it can be ON as it is on my system when a > binary starts up.
Agreed. > Question also is, whether the FIPS mode should not stand untouched > when SSLFIPS is not specified at all (not intend to turning it off). > Perhaps even more basic concern, what is actually the purpose > (usecase) or SSLFIPS directive? In other words, in case you have a > FIPS system, why you would like to disable it in httpd? It looks to me like "SSLFIPS off" has never worked even before r1853197. I assume the use case was the opposite - turning on FIPS on a system without it enabled globally. (AFAIK my users/customers only care about systems where FIPS is a OS-level setting so I don't care about that use case either) It also looks like OpenSSL 3.0 will be removing the functions entirely: https://wiki.openssl.org/index.php/OpenSSL_3.0#Upgrading_from_the_OpenSSL_2.0_FIPS_Object_Module though I've only built against alpha16 so far and FIPS*() are still there. My preference would be to remove SSLFIPS from trunk mod_ssl completely. Regards, Joe
