diff options
| author | rcritten <> | 2008-05-16 15:16:02 +0000 |
|---|---|---|
| committer | rcritten <> | 2008-05-16 15:16:02 +0000 |
| commit | 70604635a44eecb3cb73303ed421e3006e4153b5 (patch) | |
| tree | 3f3a0de15fb61bdeee274730a439937802e16d26 | |
| parent | f0cbeb223317ecec841ce4203834633b7d8184b3 (diff) | |
| download | mod_nss-70604635a44eecb3cb73303ed421e3006e4153b5.tar.gz mod_nss-70604635a44eecb3cb73303ed421e3006e4153b5.tar.xz mod_nss-70604635a44eecb3cb73303ed421e3006e4153b5.zip | |
Make FIPS mode work. This fixes 2 problems:
1. In nss_init_SSLLibrary() the server config wasn't being set properly
for each virtual server so FIPS wasn't getting turned on.
2. There seem to be a problem in NSS_Shutdown() that makes subsequent
logins appear to succeed but they actually are skipped causing keys
and certs to not be available.
Also switch an error message to a warning related to FIPS ciphers.
| -rw-r--r-- | nss_engine_init.c | 5 | ||||
| -rw-r--r-- | nss_engine_pphrase.c | 7 |
2 files changed, 10 insertions, 2 deletions
diff --git a/nss_engine_init.c b/nss_engine_init.c index c83a4aa..c4e2d90 100644 --- a/nss_engine_init.c +++ b/nss_engine_init.c @@ -148,9 +148,10 @@ static void nss_init_SSLLibrary(server_rec *base_server) const char * ocspurl = NULL; const char * ocspname = NULL; - sc = mySrvConfig(base_server); for (s = base_server; s; s = s->next) { + sc = mySrvConfig(s); + if (sc->fips == TRUE) { fipsenabled = TRUE; } @@ -802,7 +803,7 @@ static void nss_init_ctx_cipher_suite(server_rec *s, if (mctx->sc->fips) { for (i=0; i<ciphernum; i++) { if (cipher_state[i] == PR_TRUE && fips_state[i] == PR_FALSE) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, "Cipher %s is enabled but this is not a FIPS cipher, disabling.", ciphers_def[i].name); cipher_state[i] = PR_FALSE; } diff --git a/nss_engine_pphrase.c b/nss_engine_pphrase.c index 83005bf..8a77301 100644 --- a/nss_engine_pphrase.c +++ b/nss_engine_pphrase.c @@ -62,6 +62,13 @@ SECStatus nss_Init_Tokens(server_rec *s) { PK11SlotInfo *slot = listEntry->slot; + /* This is needed to work around a bug in NSS while in FIPS mode. + * The first login will succeed but NSS_Shutdown() isn't cleaning + * something up causing subsequent logins to be skipped making + * keys and certs unavailable. + */ + PK11_Logout(slot); + if (PK11_NeedLogin(slot) && PK11_NeedUserInit(slot)) { if (slot == PK11_GetInternalKeySlot()) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, |