> On 31 Aug 2016, at 3:38 AM, 'Danny' via modwsgi <[email protected]> > wrote: > > I apologize if this is a stupid question. I am an absolute newbie at web > security, and I need to stand up a site which is fips enabled. Is the > apache/mod_ssl that is installed with mod_wsgi_packages fips enabled? How > would I check in the future, and if not, is there a way to modify the build > that would enable it without having to resort to a custom install of apache? > > I am loving mode_wsgi-express and hope I use it without modification...
Don’t know anything about FIPS unfortunately, so can only base things on what I find with Google. Apache documentation only mentions: * https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslfips <https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslfips> but doesn’t really explain anything about what it is doing, so you would need to be across what FIPS security policy documents are requiring from the underlying SSL library. This link: * https://mariobrandt.de/archives/apache/apache-http-strict-transport-security-with-long-duration-817/ <https://mariobrandt.de/archives/apache/apache-http-strict-transport-security-with-long-duration-817/> also talks about that setting not being enough and that other configuration is also needed. When using HTTPS support in mod_wsgi-express it is pretty well relying on the defaults in Apache httpd server. The only exception to this is that mod_wsgi-express provides the '--hsts-policy’ option to enable HTTP Strict Transport Security (HSTS). That would appear to only deal with part of the settings talked about in that post. If you can determine what other Apache httpd server configuration directives do need to be set, you may be able to get away with adding then to a file called ‘fips.conf’ and then using the option to mod_wsgi-express of: —include-file fips.conf This will though simply include the directives at the end of the generated configuration file. Whether this is sufficient I don’t know as the SSL directives are usually contained within a specific VirtualHost, so depends on what Apache allows for each of the directives and how precedence order works. I have previously added a —rewrite-rules option to specify a configuration file snippet that would be included in a specific spot within the generated configuration to deal with issues like it needing to be done in a specific spot. I could thus if necessary add a similar option called something like —ssl-directives where could give it path to configuration file snippet to be included in the VirtualHost after other SSL directives set. That would allow it to be customised and defaults overridden. So what I suggest is try and work out what the Apache httpd server directives need to be and use —include-file to see if Apache complains about where they are being set. If accepts them, not sure how one would determine if they are being applied correctly and that you are compliant. Graham -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/modwsgi. For more options, visit https://groups.google.com/d/optout.
