William, On 1/31/2011 1:57 PM, William A. Rowe Jr. wrote: > On 1/30/2011 8:20 AM, Christopher Schultz wrote: >> Chris, >> >> On 1/27/2011 3:54 PM, Chris Beckey wrote: >>> Chris, >>> To set some context, I posted on the tomcat users list serve a question >>> about running OpenSSL in FIPS mode under Tomcat. >>> The last communication was that you may investigate an enhancement. >>> Since then, one of my co-workers took on the C coding side and I took on >>> the Java side. I believe that we have it running now but I still have >>> testing to complete before I'd call it stable >>> As you may know the FIPS compliant version of OpenSSL is not the current >>> version. What we have running is: >>> Tomcat V 6.0.20 >>> OpenSSL FIPS module V 1.2.2 >>> Open SSL V 0.9.6q >>> tcnative V 1.1.20 >>> APR V 1.4.2 >>> I have found that the versions used are critical, these were the newest >>> versions of the libraries I could get to work together, with the exception >>> of Tomcat itself. Usage of 6.0.20 is simply because that is what our >>> application is to be released on. >>> Anyway, the point of this email is to inquire whether you would like the >>> code for integration back into the code base? I also have a fairly >>> detailed list of steps used to do the build(s). > > Note this isn't enough, if you did not call FIPS_mode_set(), you aren't > running > FIPS validated code.
I'm pretty sure he's calling it: In the past, I asked if simply using FIPS-approved ciphers were sufficient and he said "no". This is why there is a patch coming hopefully in the near future. Note that (the other) Chris is probably not subscribed to the list. Feel free to watch this bug for updates: https://issues.apache.org/bugzilla/show_bug.cgi?id=50570 > The nice way to do this would be to enhance tcnative to > accept a global config value (not connector-by-connector) to trigger the > FIPS_mode_set() at startup, and ensure there is enough error reporting back to > the tomcat initialization code to inform the user of the reason for failure, > when and if that call is rejected. That's pretty much what will be required, since FIPS mode appears to be per process and cannot be set per socket. -chris
signature.asc
Description: OpenPGP digital signature