-*- coding: utf-8 -*-
Changes with Apache 2.4.39
-Changes with Apache 2.4.38
+ *) mod_ssl: Don't unset FIPS mode on restart unless it's forced by
+ configuration (SSLFIPS on) and not active by default in OpenSSL.
+ PR 63136. [Yann Ylavic]
*) SECURITY: CVE-2018-17199 (cve.mitre.org)
mod_session: mod_session_cookie does not respect expiry time allowing
/*
* Try to kill the internals of the SSL library.
*/
-#ifdef HAVE_FIPS
- FIPS_mode_set(0);
-#endif
/* Corresponds to OBJ_create()s */
OBJ_cleanup();
/* Corresponds to OPENSSL_load_builtin_modules() */
return 0;
}
+#ifdef HAVE_FIPS
+static apr_status_t modssl_fips_cleanup(void *data)
+{
+ FIPS_mode_set(0);
+ return APR_SUCCESS;
+}
+#endif
+
/*
* Per-module initialization
*/
ssl_rand_seed(base_server, ptemp, SSL_RSCTX_STARTUP, "Init: ");
#ifdef HAVE_FIPS
- if(sc->fips) {
+ if (sc->fips) {
if (!FIPS_mode()) {
if (FIPS_mode_set(1)) {
ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, APLOGNO(01884)
"Operating in SSL FIPS mode");
+ apr_pool_cleanup_register(p, NULL, modssl_fips_cleanup,
+ apr_pool_cleanup_null);
}
else {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01885) "FIPS mode failed");
projects / thirdparty / apache / httpd.git / commitdiff
