You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by pgajdos <pg...@suse.cz> on 2021/05/12 12:25:42 UTC

SSLFIPS on/off

Hello,

I have a question regarding the logic around SSLFIPS on/off. After
https://svn.apache.org/viewvc?view=revision&revision=1853197
I think SSLFIPS off will not work as expected. 

#ifdef HAVE_FIPS
    if (sc->fips) {
        if (!FIPS_mode()) {
            if (FIPS_mode_set(1)) {
                ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, APLOGNO(01884)
                             "Operating in SSL FIPS mode");
                apr_pool_cleanup_register(p, NULL, modssl_fips_cleanup,
                                          apr_pool_cleanup_null);
            }
            else {
                ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01885) "FIPS mode failed");
                ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
                return ssl_die(s);
            }
        }
    }
    else {
        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01886)
                     "SSL FIPS mode disabled");
    }
#endif

In case sc->fips is FALSE (SSLFIPS off or not set), the
FIPS_mode_set() is not called at all and the fips mode is untouched.
If I understand correctly, it can be ON as it is on my system when a
binary starts up.

Question also is, whether the FIPS mode should not stand untouched
when SSLFIPS is not specified at all (not intend to turning it off).
Perhaps even more basic concern, what is actually the purpose
(usecase) or SSLFIPS directive? In other words, in case you have a
FIPS system, why you would like to disable it in httpd?

Unfortunately I do not know much about FIPS, so perhaps I missed
something basic but important, apologize in advance :).

Bye,
Petr

-- 
Have a lot of fun!

Re: SSLFIPS on/off

Posted by Stefan Eissing <st...@greenbytes.de>.

> Am 21.05.2021 um 17:59 schrieb Joe Orton <jo...@redhat.com>:
> 
> On Wed, May 12, 2021 at 02:25:42PM +0200, pgajdos wrote:
>> Hello,
>> 
>> I have a question regarding the logic around SSLFIPS on/off. After
>> https://svn.apache.org/viewvc?view=revision&revision=1853197
>> I think SSLFIPS off will not work as expected. 
> ...
>> In case sc->fips is FALSE (SSLFIPS off or not set), the
>> FIPS_mode_set() is not called at all and the fips mode is untouched.
>> If I understand correctly, it can be ON as it is on my system when a
>> binary starts up.
> 
> Agreed.
> 
>> Question also is, whether the FIPS mode should not stand untouched
>> when SSLFIPS is not specified at all (not intend to turning it off).
>> Perhaps even more basic concern, what is actually the purpose
>> (usecase) or SSLFIPS directive? In other words, in case you have a
>> FIPS system, why you would like to disable it in httpd?
> 
> It looks to me like "SSLFIPS off" has never worked even before r1853197. 
> I assume the use case was the opposite - turning on FIPS on a system 
> without it enabled globally.  (AFAIK my users/customers only care about 
> systems where FIPS is a OS-level setting so I don't care about that use 
> case either)
> 
> It also looks like OpenSSL 3.0 will be removing the functions entirely: 
> https://wiki.openssl.org/index.php/OpenSSL_3.0#Upgrading_from_the_OpenSSL_2.0_FIPS_Object_Module 
> though I've only built against alpha16 so far and FIPS*() are still 
> there.
> 
> My preference would be to remove SSLFIPS from trunk mod_ssl completely.

+1

Re: SSLFIPS on/off

Posted by Joe Orton <jo...@redhat.com>.
On Wed, May 12, 2021 at 02:25:42PM +0200, pgajdos wrote:
> Hello,
> 
> I have a question regarding the logic around SSLFIPS on/off. After
> https://svn.apache.org/viewvc?view=revision&revision=1853197
> I think SSLFIPS off will not work as expected. 
...
> In case sc->fips is FALSE (SSLFIPS off or not set), the
> FIPS_mode_set() is not called at all and the fips mode is untouched.
> If I understand correctly, it can be ON as it is on my system when a
> binary starts up.

Agreed.

> Question also is, whether the FIPS mode should not stand untouched
> when SSLFIPS is not specified at all (not intend to turning it off).
> Perhaps even more basic concern, what is actually the purpose
> (usecase) or SSLFIPS directive? In other words, in case you have a
> FIPS system, why you would like to disable it in httpd?

It looks to me like "SSLFIPS off" has never worked even before r1853197. 
I assume the use case was the opposite - turning on FIPS on a system 
without it enabled globally.  (AFAIK my users/customers only care about 
systems where FIPS is a OS-level setting so I don't care about that use 
case either)

It also looks like OpenSSL 3.0 will be removing the functions entirely: 
https://wiki.openssl.org/index.php/OpenSSL_3.0#Upgrading_from_the_OpenSSL_2.0_FIPS_Object_Module 
though I've only built against alpha16 so far and FIPS*() are still 
there.

My preference would be to remove SSLFIPS from trunk mod_ssl completely.

Regards, Joe