Mladen, On 4/16/14, 8:52 AM, mt...@apache.org wrote: > Author: mturk > Date: Wed Apr 16 12:52:16 2014 > New Revision: 1587896 > > URL: http://svn.apache.org/r1587896 > Log: > Fix Bz56396. Be tolerant on RSA keys < 1024 bits > > Modified: > tomcat/native/branches/1.1.x/native/src/ssl.c > tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml > > Modified: tomcat/native/branches/1.1.x/native/src/ssl.c > URL: > http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/native/src/ssl.c?rev=1587896&r1=1587895&r2=1587896&view=diff > ============================================================================== > --- tomcat/native/branches/1.1.x/native/src/ssl.c (original) > +++ tomcat/native/branches/1.1.x/native/src/ssl.c Wed Apr 16 12:52:16 2014 > @@ -221,6 +221,14 @@ static const jint supported_ssl_opts = 0 > > static int ssl_tmp_key_init_rsa(int bits, int idx) > { > +#ifdef OPENSSL_FIPS > + /** > + * With FIPS mode short RSA keys cannot be > + * generated. > + */ > + if (bits < 1024) > + return 0; > +#endif
Why not fix this by removing the actual call to ssl_tmp_key_init_rsa(512) instead of modifying the behavior of the function? -chris
signature.asc
Description: OpenPGP digital signature
