Index: java/org/apache/catalina/core/AprLifecycleListener.java
===================================================================
--- java/org/apache/catalina/core/AprLifecycleListener.java	(revision 1559183)
+++ java/org/apache/catalina/core/AprLifecycleListener.java	(working copy)
@@ -255,7 +255,41 @@
         method = clazz.getMethod(methodName, paramTypes);
         method.invoke(null, paramValues);
 
-        if("on".equalsIgnoreCase(FIPSMode)) {
+        boolean enterFipsMode;
+
+        if("on".equalsIgnoreCase(FIPSMode)
+           || "require".equalsIgnoreCase(FIPSMode)) {
+            int fipsModeState = SSL.fipsModeGet();
+
+            if(log.isDebugEnabled())
+                log.debug(sm.getString("aprListener.currentFIPSMode",
+                                       Integer.valueOf(fipsModeState)));
+
+            // Return values: 0=Not in FIPS mode, 1=In FIPS mode,
+            // exception if FIPS totally unavailable
+            enterFipsMode = 1 != fipsModeState;
+
+            if("on".equalsIgnoreCase(FIPSMode)) {
+                if(!enterFipsMode)
+                    log.info(sm.getString("aprListener.skipFIPSInitialization"));
+            } else if("require".equalsIgnoreCase(FIPSMode)) {
+                if(enterFipsMode)
+                {
+                    String message = sm.getString("aprListener.alreadyInFIPSMode");
+                    log.error(message);
+                    throw new IllegalStateException(message);
+                }
+            }
+        }
+        else if("enter".equalsIgnoreCase(FIPSMode))
+        {
+            enterFipsMode = true;
+        }
+        else
+            enterFipsMode = false;
+
+        if(enterFipsMode)
+        {
             log.info(sm.getString("aprListener.initializingFIPS"));
 
             int result = SSL.fipsModeSet(1);
Index: java/org/apache/catalina/core/LocalStrings.properties
===================================================================
--- java/org/apache/catalina/core/LocalStrings.properties	(revision 1559183)
+++ java/org/apache/catalina/core/LocalStrings.properties	(working copy)
@@ -56,6 +56,9 @@
 aprListener.sslInit=Failed to initialize the SSLEngine.
 aprListener.tcnValid=Loaded APR based Apache Tomcat Native library {0} using APR version {1}.
 aprListener.flags=APR capabilities: IPv6 [{0}], sendfile [{1}], accept filters [{2}], random [{3}].
+aprListener.currentFIPSMode=Current FIPS mode: {0}
+aprListener.skipFIPSInitialization=Already in FIPS mode; skipping FIPS initialization.
+aprListener.alreadyInFIPSMode=AprLifecycleListener requested to force entering FIPS mode, but FIPS mode was already enabled.
 aprListener.initializingFIPS=Initializing FIPS mode...
 aprListener.initializeFIPSSuccess=Successfully entered FIPS mode
 aprListener.initializeFIPSFailed=Failed to enter FIPS mode
Index: java/org/apache/tomcat/jni/SSL.java
===================================================================
--- java/org/apache/tomcat/jni/SSL.java	(revision 1559183)
+++ java/org/apache/tomcat/jni/SSL.java	(working copy)
@@ -231,6 +231,14 @@
     public static native int initialize(String engine);
 
     /**
+     * Get the status of FIPS Mode.
+     *
+     * @return 0 If OpenSSL is not in FIPS mode, 1 if OpenSSL is in FIPS Mode.
+     * @throws Exception If tcnative was not compiled with FIPS Mode available.
+     */
+    public static native int fipsModeGet();
+
+    /**
      * Enable/Disable FIPS Mode.
      *
      * @param mode 1 - enable, 0 - disable
Index: webapps/docs/config/listeners.xml
===================================================================
--- webapps/docs/config/listeners.xml	(revision 1559183)
+++ webapps/docs/config/listeners.xml	(working copy)
@@ -112,7 +112,12 @@
       </attribute>
 
       <attribute name="FIPSMode" required="false">
-        <p>Set to <code>on</code> to instruct OpenSSL to go into FIPS mode.
+        <p>Set to <code>on</code> to request that OpenSSL be in FIPS mode
+        (if OpenSSL is already in FIPS mode, it will remain in FIPS mode).
+        Set to <code>enter</code> to force OpenSSL to enter FIPS mode (an error
+        will occur if OpenSSL is already in FIPS mode).
+        Set to <code>require</code> to require that OpenSSL <i>already</i> be
+        in FIPS mode.
         FIPS mode <em>requires you to have a FIPS-capable OpenSSL library which
         you must build yourself</em>.
         FIPS mode also requires Tomcat native library version 1.1.23 or later,