File apache2-unset-FIPS-only-when-we-set-it.patch of Package apache2.22344
Index: httpd-2.4.33/modules/ssl/mod_ssl.c
===================================================================
--- httpd-2.4.33.orig/modules/ssl/mod_ssl.c 2018-02-14 00:43:36.000000000 +0100
+++ httpd-2.4.33/modules/ssl/mod_ssl.c 2021-05-10 15:27:44.074706279 +0200
@@ -331,9 +331,6 @@ static apr_status_t ssl_cleanup_pre_conf
/*
* Try to kill the internals of the SSL library.
*/
-#ifdef HAVE_FIPS
- FIPS_mode_set(0);
-#endif
/* Corresponds to OBJ_create()s */
OBJ_cleanup();
/* Corresponds to OPENSSL_load_builtin_modules() */
Index: httpd-2.4.33/modules/ssl/ssl_engine_init.c
===================================================================
--- httpd-2.4.33.orig/modules/ssl/ssl_engine_init.c 2021-05-10 15:27:44.030706038 +0200
+++ httpd-2.4.33/modules/ssl/ssl_engine_init.c 2021-05-10 18:09:29.535123231 +0200
@@ -183,6 +183,14 @@ int ssl_is_challenge(conn_rec *c, const
return 0;
}
+#ifdef HAVE_FIPS
+static apr_status_t modssl_fips_cleanup(void *data)
+{
+ FIPS_mode_set(0);
+ return APR_SUCCESS;
+}
+#endif
+
/*
* Per-module initialization
*/
@@ -310,11 +318,13 @@ apr_status_t ssl_init_Module(apr_pool_t
ssl_rand_seed(base_server, ptemp, SSL_RSCTX_STARTUP, "Init: ");
#ifdef HAVE_FIPS
- if(sc->fips) {
+ if (sc->fips) {
if (!FIPS_mode()) {
if (FIPS_mode_set(1)) {
ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, APLOGNO(01884)
- "Operating in SSL FIPS mode");
+ "Switched to SSL FIPS mode");
+ apr_pool_cleanup_register(p, NULL, modssl_fips_cleanup,
+ apr_pool_cleanup_null);
}
else {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01885) "FIPS mode failed");
@@ -322,6 +332,10 @@ apr_status_t ssl_init_Module(apr_pool_t
return ssl_die(s);
}
}
+ else {
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, APLOGNO(01884)
+ "Operating in SSL FIPS mode");
+ }
}
else {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01886)
