You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2006/06/23 22:25:10 UTC

DO NOT REPLY [Bug 39894] New: - merge FIPS branch

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39894>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=39894

           Summary: merge FIPS branch
           Product: Apache httpd-2
           Version: 2.2-HEAD
          Platform: All
               URL: http://oss-institute.org/fips-faq.html
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: mod_ssl
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: asf@divinehawk.com


I request that the fips-dev branch be further developed and merged.

OpenSSL is now FIPS-certified. It would be nice to have the option to build it
to be FIPS-compliant. 

The IBM httpd server includes FIPS compliant mode, it would be nice if Apache
did the same.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 39894] - merge FIPS branch

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39894>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=39894





------- Additional Comments From wrowe@apache.org  2006-06-25 22:09 -------
And just to add further clarification, the effort includes replacing all FIPS
related algorithms in apr-util with stubs to the FIPS-validated crypto module,
e.g. OpenSSL's implementation of SHA-1 etc, and disabling FIPS disallowed
algorithms such as MD4 and MD5 when running in FIPS mode.

Parts of the HTTP/1.1 protocol itself will be problematic without MD5 support,
which is why the reporter shouldn't expect an 'instant answer'.  Well, that
and the lag between OpenSSL FIPS-1.0 - which they have withdrawn their validation
of, and the forthcoming FIPS-1.1 to better isolate the boundry of FIPS-validated
functionality.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 39894] - merge FIPS branch

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39894>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=39894


wrowe@apache.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID




------- Additional Comments From wrowe@apache.org  2006-06-24 18:51 -------
Sorry, bugs is -not- an appropriate forum for a request as abstract as this.

If you have anything to contribute to the effort Matt, dev@httpd.apache.org is
the development list where such topics are discussed.

As apr itself introduces many FIPS issues, and if IBM HTTP Server is using 
'stock' APR, it already propogates these issues, and you would be comparing
oranges to apples.

There is a layered effort starting at dev@apr.apache.org to resolve FIPS
conformance issues.  Please don't use bugzilla to track an issue this complex.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 39894] - merge FIPS branch

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39894>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=39894





------- Additional Comments From trawick@apache.org  2006-06-25 12:50 -------
>As apr itself introduces many FIPS issues, and
>if IBM HTTP Server is using 'stock' APR, 

just FYI...  what IBM HTTP Server provides w.r.t. FIPS is a setting in its SSL
module which uses informs the IBM security library to activate only
FIPS-approved ciphers/protocols. using its certified cipher implementation... 
the FIPS capability doesn't extend any further...

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org