Merge of r1853133,r1853166 from trunk:

mod_ssl: Don't unset FIPS mode on restart unless it's forced by configuration (SSLFIPS on) and not active by default in OpenSSL. PR 63136. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1853197 13f79535-47bb-0310-9956-ffa450edef68
2025-08-15 23:27:39 +00:00 · 2019-02-08 09:01:42 +00:00
parent 7d7f8d13d9
commit fd5efd0b43
3 changed files with 14 additions and 5 deletions
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@ -183,6 +183,14 @@ int ssl_is_challenge(conn_rec *c, const char *servername,
    return 0;
 }

+#ifdef HAVE_FIPS
+static apr_status_t modssl_fips_cleanup(void *data)
+{
+    FIPS_mode_set(0);
+    return APR_SUCCESS;
+}
+#endif
+
 /*
 *  Per-module initialization
 */
@ -311,11 +319,13 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
    ssl_rand_seed(base_server, ptemp, SSL_RSCTX_STARTUP, "Init: ");

 #ifdef HAVE_FIPS
-    if(sc->fips) {
+    if (sc->fips) {
        if (!FIPS_mode()) {
            if (FIPS_mode_set(1)) {
                ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, APLOGNO(01884)
                             "Operating in SSL FIPS mode");
+                apr_pool_cleanup_register(p, NULL, modssl_fips_cleanup,
+                                          apr_pool_cleanup_null);
            }
            else {
                ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01885) "FIPS mode failed");