Author: schultz Date: Thu Nov 10 17:43:07 2011 New Revision: 1200448 URL: http://svn.apache.org/viewvc?rev=1200448&view=rev Log: Back-ported documentation and error-handling improvements for AprLifecycleListener FIPSMode.
Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java tomcat/tc7.0.x/trunk/webapps/docs/config/listeners.xml Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java?rev=1200448&r1=1200447&r2=1200448&view=diff ============================================================================== --- tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java (original) +++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java Thu Nov 10 17:43:07 2011 @@ -108,8 +108,19 @@ public class AprLifecycleListener try { initializeSSL(); } catch (Throwable t) { - ExceptionUtils.handleThrowable(t); - log.error(sm.getString("aprListener.sslInit"), t); + // FIPS Errors are always fatal + if("on".equalsIgnoreCase(FIPSMode) + && !isFIPSModeActive()) { + if(t instanceof Error) + throw (Error)t; + else if(t instanceof RuntimeException) + throw (RuntimeException)t; + else + throw new IllegalStateException(sm.getString("aprListener.sslInit"), t); + } else { + ExceptionUtils.handleThrowable(t); + log.error(sm.getString("aprListener.sslInit"), t); + } } } } Modified: tomcat/tc7.0.x/trunk/webapps/docs/config/listeners.xml URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/config/listeners.xml?rev=1200448&r1=1200447&r2=1200448&view=diff ============================================================================== --- tomcat/tc7.0.x/trunk/webapps/docs/config/listeners.xml (original) +++ tomcat/tc7.0.x/trunk/webapps/docs/config/listeners.xml Thu Nov 10 17:43:07 2011 @@ -110,6 +110,14 @@ this to <code>/dev/urandom</code> to allow quicker start times.</p> </attribute> + <attribute name="FIPSMode" required="false"> + <p>Set to "on" to instruct OpenSSL to go into FIPS mode. + FIPS mode <i>requires you to have a FIPS-capable OpenSSL library which + you must build yourself</i>. + FIPS mode also requires Tomcat native library version 1.1.23 or later, + which <i>must be built against the FIPS-compatible OpenSSL</i> library. + The default value is <code>off</code>.</p> + </attribute> </attributes> </subsection> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org