[Pkg-fedora-ds-maintainers] [libapache2-mod-nss] 95/156: Make FIPS mode work. This fixes 2 problems:

Timo Aaltonen tjaalton-guest at moszumanska.debian.org
Wed Jul 2 13:55:32 UTC 2014 

This is an automated email from the git hooks/post-receive script.

tjaalton-guest pushed a commit to branch master
in repository libapache2-mod-nss.

commit 70604635a44eecb3cb73303ed421e3006e4153b5
Author: rcritten <>
Date:   Fri May 16 15:16:02 2008 +0000

    Make FIPS mode work. This fixes 2 problems:
    
    1. In nss_init_SSLLibrary() the server config wasn't being set properly
       for each virtual server so FIPS wasn't getting turned on.
    2. There seem to be a problem in NSS_Shutdown() that makes subsequent
       logins appear to succeed but they actually are skipped causing keys
       and certs to not be available.
    
    Also switch an error message to a warning related to FIPS ciphers.
---
 nss_engine_init.c    | 5 +++--
 nss_engine_pphrase.c | 7 +++++++
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/nss_engine_init.c b/nss_engine_init.c
index c83a4aa..c4e2d90 100644
--- a/nss_engine_init.c
+++ b/nss_engine_init.c
@@ -148,9 +148,10 @@ static void nss_init_SSLLibrary(server_rec *base_server)
     const char * ocspurl = NULL;
     const char * ocspname = NULL;
 
-    sc = mySrvConfig(base_server);
 
     for (s = base_server; s; s = s->next) {
+        sc = mySrvConfig(s);
+
         if (sc->fips == TRUE) {
             fipsenabled = TRUE;
         }
@@ -802,7 +803,7 @@ static void nss_init_ctx_cipher_suite(server_rec *s,
     if (mctx->sc->fips) {
         for (i=0; i<ciphernum; i++) {
             if (cipher_state[i] == PR_TRUE && fips_state[i] == PR_FALSE) {
-                ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+                ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
                     "Cipher %s is enabled but this is not a FIPS cipher, disabling.", ciphers_def[i].name);
                 cipher_state[i] = PR_FALSE;
             }
diff --git a/nss_engine_pphrase.c b/nss_engine_pphrase.c
index 83005bf..8a77301 100644
--- a/nss_engine_pphrase.c
+++ b/nss_engine_pphrase.c
@@ -62,6 +62,13 @@ SECStatus nss_Init_Tokens(server_rec *s)
     {
         PK11SlotInfo *slot = listEntry->slot;
 
+        /* This is needed to work around a bug in NSS while in FIPS mode.
+         * The first login will succeed but NSS_Shutdown() isn't cleaning
+         * something up causing subsequent logins to be skipped making
+         * keys and certs unavailable.
+         */
+        PK11_Logout(slot);
+
         if (PK11_NeedLogin(slot) && PK11_NeedUserInit(slot)) {
             if (slot == PK11_GetInternalKeySlot()) {
                 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-fedora-ds/libapache2-mod-nss.git

More information about the Pkg-fedora-ds-maintainers mailing list