Re: svn commit: r1199980 - in /tomcat/trunk/java/org/apache: catalina/core/AprLifecycleListener.java catalina/core/LocalStrings.properties tomcat/jni/SSL.java

Wed, 09 Nov 2011 14:25:01 -0800 

2011/11/10 Mark Thomas <ma...@apache.org>:
>>> On 09/11/2011 21:34, schu...@apache.org wrote:
>>>> Author: schultz Date: Wed Nov  9 21:34:31 2011 New Revision:
>>>> 1199980
>>>>
>>>> URL: http://svn.apache.org/viewvc?rev=1199980&view=rev Log:
>>>> Fixed bug #50570 - Allow explicit use of FIPS mode in APR
>>>> lifecycle listener - Added "FIPSMode" attribute to
>>>> AprLifecycleListener that causes OpenSSL to go into FIPS mode
>>>
>>> Isn't this dependent on an tcnative update?
>>
>> Yes, it is. I'm updating the documentation for AprLifecycleListener
>> and I will mention the version dependency in there. If this is not
>> yet appropriate to release, I can roll-back the patch.
>
> What happens if I try this with 1.1.22? If it blows up, that is bad.
> If it logs an error, that is fine. If it silently carries on, that is bad.
>

Just testing this.

If I do not set FIPSMode property, all is OK. No difference from
previous behaviour.

If I set FIPSMode="on", the following happens

[[[
10-Nov-2011 01:13:59.484 INFO [main]
org.apache.catalina.core.AprLifecycleListener.init Loaded APR based
Apache Tomcat Native library 1.1.22.
10-Nov-2011 01:13:59.500 INFO [main]
org.apache.catalina.core.AprLifecycleListener.init APR capabilities:
IPv6 [false], sendfile [true], accept filters [false], random [true].
10-Nov-2011 01:13:59.937 INFO [main]
org.apache.catalina.core.AprLifecycleListener.initializeSSL
Initializing FIPS mode...
10-Nov-2011 01:13:59.937 SEVERE [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to
initialize the SSLEngine.
 java.lang.UnsatisfiedLinkError: org.apache.tomcat.jni.SSL.fipsModeSet(I)I
        at org.apache.tomcat.jni.SSL.fipsModeSet(Native Method)
        at 
org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:248)
        at 
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:109)
        at 
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
        at 
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
        at 
org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:389)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:573)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:598)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449)
(...)
10-Nov-2011 01:14:01.203 INFO [main]
org.apache.catalina.startup.Catalina.start Server startup in 1030 ms
]]]

There is java.lang.UnsatisfiedLinkError (and not the
IllegalStateException that the code throws).

Despite this error, Tomcat startup sequence continues.

I guess that from FIPS PoV the failure to initialize FIPS mode should
be more fatal, regardless of its cause.
Be it because of native lib returning error code or this tc-native
version mismatch.
Maybe even throw an error if SSLEngine was not "on". Now it just
causes the FIPS mode to be ignored.

I do not know why UnsatisfiedLinkError error was not enough to break it.

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to