svn commit: r1200448 - in /tomcat/tc7.0.x/trunk: java/org/apache/catalina/core/AprLifecycleListener.java webapps/docs/config/listeners.xml

Thu, 10 Nov 2011 09:43:33 -0800 

Author: schultz
Date: Thu Nov 10 17:43:07 2011
New Revision: 1200448

URL: http://svn.apache.org/viewvc?rev=1200448&view=rev
Log:
Back-ported documentation and error-handling improvements for 
AprLifecycleListener FIPSMode.

Modified:
    tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java
    tomcat/tc7.0.x/trunk/webapps/docs/config/listeners.xml

Modified: 
tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java?rev=1200448&r1=1200447&r2=1200448&view=diff
==============================================================================
--- 
tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java 
(original)
+++ 
tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java 
Thu Nov 10 17:43:07 2011
@@ -108,8 +108,19 @@ public class AprLifecycleListener
                     try {
                         initializeSSL();
                     } catch (Throwable t) {
-                        ExceptionUtils.handleThrowable(t);
-                        log.error(sm.getString("aprListener.sslInit"), t);
+                        // FIPS Errors are always fatal
+                        if("on".equalsIgnoreCase(FIPSMode)
+                           && !isFIPSModeActive()) {
+                            if(t instanceof Error)
+                               throw (Error)t;
+                            else if(t instanceof RuntimeException)
+                                throw (RuntimeException)t;
+                            else
+                                throw new 
IllegalStateException(sm.getString("aprListener.sslInit"), t);
+                        } else {
+                            ExceptionUtils.handleThrowable(t);
+                            log.error(sm.getString("aprListener.sslInit"), t);
+                        }
                     }
                 }
             }

Modified: tomcat/tc7.0.x/trunk/webapps/docs/config/listeners.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/config/listeners.xml?rev=1200448&r1=1200447&r2=1200448&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/config/listeners.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/config/listeners.xml Thu Nov 10 17:43:07 
2011
@@ -110,6 +110,14 @@
         this to <code>/dev/urandom</code> to allow quicker start times.</p>
       </attribute>
 
+      <attribute name="FIPSMode" required="false">
+        <p>Set to "on" to instruct OpenSSL to go into FIPS mode.
+        FIPS mode <i>requires you to have a FIPS-capable OpenSSL library which
+        you must build yourself</i>.
+        FIPS mode also requires Tomcat native library version 1.1.23 or later,
+        which <i>must be built against the FIPS-compatible OpenSSL</i> library.
+        The default value is <code>off</code>.</p>
+      </attribute>
     </attributes>
 
   </subsection>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to