mod_ssl: unset FIPS mode only if we set it.

If FIPS mode is set by default per openssl lib/module, we should not unset it on restart or it might never be set again. PR 63136 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1853133 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2019-02-07 13:38:12 +00:00
parent 21b79dcffe
commit 96b6041d70
2 changed files with 11 additions and 4 deletions
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -348,9 +348,6 @@ static apr_status_t ssl_cleanup_pre_config(void *data)
    /*
     * Try to kill the internals of the SSL library.
     */
-#ifdef HAVE_FIPS
-    FIPS_mode_set(0);
-#endif
    /* Corresponds to OBJ_create()s */
    OBJ_cleanup();
    /* Corresponds to OPENSSL_load_builtin_modules() */
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -190,6 +190,14 @@ int ssl_is_challenge(conn_rec *c, const char *servername,
    return 0;
 }

+#ifdef HAVE_FIPS
+static apr_status_t modssl_fips_cleanup(void *data)
+{
+    FIPS_mode_set(0);
+    return APR_SUCCESS;
+}
+#endif
+
 /*
 *  Per-module initialization
 */
@@ -314,11 +322,13 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
    ssl_rand_seed(base_server, ptemp, SSL_RSCTX_STARTUP, "Init: ");

 #ifdef HAVE_FIPS
-    if(sc->fips) {
+    if (sc->fips) {
        if (!FIPS_mode()) {
            if (FIPS_mode_set(1)) {
                ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, APLOGNO(01884)
                             "Operating in SSL FIPS mode");
+                apr_pool_cleanup_register(p, NULL, modssl_fips_cleanup,
+                                          apr_pool_cleanup_null);
            }
            else {
                ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01885) "FIPS mode failed");