On 01/06/2022 17:00, Christopher Schultz wrote:
Mark,
On 6/1/22 09:49, Mark Thomas wrote:
On 20/05/2022 12:43, Mark Thomas wrote:
<snip/>
Tomcat Native has not been updated for OpenSSL 3.0.x and FIPS. Code
changes in Tomcat Native are going to be required to get this to work.
After doing some work on this I have an update.
First of all, OpenSSL 3 has not yet obtained FIPS certification. You
can use the FIPS provider but it is not (yet) certified.
To use the OpenSSL 3 FIPS provider with Tomcat you need to do all of
the following:
- build Tomcat Native 1.2.x with OpenSSL 3.x
- configure OpenSSL to use the FIPS provider by default
https://www.openssl.org/docs/man3.0/man7/fips_module.html
If this is anything like OpenSSL 1.x, you will need to build OpenSSL
with FIPS enabled to begin with. It's not just a runtime setting. (I
don't claim to understand the fine details of FIPS, but IMHO it should
have been possible for OpenSSL to be built in a standard way with FIPS
operational mode being simply a runtime decision, but that isn't how
OpenSSL did things... at least not originally.)
FIPS in 3.x is very different. Details are in the OpenSSL man page I
linked above.
- DO NOT configure the APRLifecycleListener to use FIPS
Oh, that's interesting :)
Is that because the provider itself is FIPS and therefore there's no
reason to have an API to specifically-enable it?
You can use it via API but it is possible to enable it entirely via
configuration.
Is it possible to
confirm from client code e.g. libtcnative that the module is indeed in
FIPS mode?
You can confirm that the FIPS provider is the default provider which
should be good enough.
This is why I asked earlier whether we wanted to add a confirmation
check to each TLS connection to check that the selected cipher was from
the FIPS provider.
Although you won't see any confirmation in the logs, Tomcat Native
will be using the OpenSSL FIPS provider.
Updates are in progress so that:
- Tomcat will log a message on start when FIPS is the default provider
- setting the FIPSMode options when using OpenSSL 3 won't break things
The above will require Tomcat Native 1.2.34 onwards.
I think we might want to make a note of all this in the documentation
for the APR lifecycle listener, including all the version information
you have above.
The updates I have locally include most of that either in the docs or
the change log.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
