You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cvs@httpd.apache.org by be...@apache.org on 2005/06/13 17:24:18 UTC

svn commit: r190416 - /httpd/httpd/branches/fips-dev/README-FIPS

Author: ben
Date: Mon Jun 13 08:24:18 2005
New Revision: 190416

URL: http://svn.apache.org/viewcvs?rev=190416&view=rev
Log:
More info.

Modified:
    httpd/httpd/branches/fips-dev/README-FIPS

Modified: httpd/httpd/branches/fips-dev/README-FIPS
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/fips-dev/README-FIPS?rev=190416&r1=190415&r2=190416&view=diff
==============================================================================
--- httpd/httpd/branches/fips-dev/README-FIPS (original)
+++ httpd/httpd/branches/fips-dev/README-FIPS Mon Jun 13 08:24:18 2005
@@ -46,3 +46,16 @@
 SSLCipherSuite DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHAEXP1024-DHE-DSS-DES-CBC-SHA:EXP1024-DES-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA
 
 The cipher suites can, of course, be a subset of the above.
+
+General: All crypto should be done via OpenSSL (or another FIPS
+certified package). Any external packages using crypto must enable
+FIPS mode in OpenSSL. The OpenSSL FIPS security policy must be
+followed.
+
+Note that because Apache sets FIPS mode in OpenSSL, other libraries or
+modules using OpenSSL that coexist may exhibit unexpected behaviour
+because of the restrictions FIPS mode imposes.
+
+In particular, only DES, AES, RSA, DSA/DSS and SHA-1 can be
+used. There is a special exception that permits the use of MD5 within
+TLS, but not elsewhere.