You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Chris Beckey <cb...@gmail.com> on 2011/01/07 22:24:24 UTC
FIPS mode OpenSSL under Tomcat 6.0
I need to run a FIPS 140-2 certified SSL/TLS implementation under Tomcat 6.0.20. I have OpenSSL configured and running but I cannot find a way to set FIPS mode in OpenSSL.
From the OpenSSL documentation it should be as simple as making a call to FIPS_mode_set(), probably from within the AprLifecycleListener but I can't find a configuration option nor any indication that FIPS_mode_set() method is visible in the tcnative library or JNI wrapper.
Question is, has anyone run OpenSSL under Tomcat in FIPS mode?
Any help would be appreciated.
I did find documentation on running JSSE in FIPS mode, but not OpenSSL.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: FIPS mode OpenSSL under Tomcat 6.0
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chris,
On 1/7/2011 4:24 PM, Chris Beckey wrote:
> I need to run a FIPS 140-2 certified SSL/TLS implementation under
> Tomcat 6.0.20. I have OpenSSL configured and running but I cannot
> find a way to set FIPS mode in OpenSSL.
I don't think there's any way to configure OpenSSL via Tomcat other than
to specify the ciphers that OpenSSL will use for SSL.
> From the OpenSSL
> documentation it should be as simple as making a call to
> FIPS_mode_set(), probably from within the AprLifecycleListener but I
> can't find a configuration option nor any indication that
> FIPS_mode_set() method is visible in the tcnative library or JNI
> wrapper.
I can't find the string "fips" (case-insensitive) anywhere in the
tomcat-native code, so it must not be exposed.
> Question is, has anyone run OpenSSL under Tomcat in FIPS
> mode? Any help would be appreciated.
If you know the ciphers allowed by FIPS, you can just specify them in
your <Connector> configuration. Is that acceptable, or do you absolutely
need to have FIPS mode set? (I understand these things are sometimes
non-negotiable).
It doesn't look like it would be a big deal to add some code to allow
FIPS mode via the APR connector with OpenSSL. Would you be willing to
test some of that code?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk0skOUACgkQ9CaO5/Lv0PDhHACfXKvxsXyow99+flTQbLyXO0Du
yS0AoJYy+kEzl1bylVNff7IyO52zjesa
=9VrF
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: FIPS mode OpenSSL under Tomcat 6.0
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chris,
On 1/7/2011 4:24 PM, Chris Beckey wrote:
> I did find documentation on running JSSE in FIPS mode, but not
> OpenSSL.
Please post a reference to the JSSE setup here:
https://issues.apache.org/bugzilla/show_bug.cgi?id=50570
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk0slFEACgkQ9CaO5/Lv0PD4kQCfUz/uQC+02vM9mxz8VEK04MON
5NIAoJaL8M8xUSZD8TdnI7Xkx+J1VSGv
=I0LX
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org