You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by pgajdos <pg...@suse.cz> on 2021/05/12 12:25:42 UTC
SSLFIPS on/off
Hello,
I have a question regarding the logic around SSLFIPS on/off. After
https://svn.apache.org/viewvc?view=revision&revision=1853197
I think SSLFIPS off will not work as expected.
#ifdef HAVE_FIPS
if (sc->fips) {
if (!FIPS_mode()) {
if (FIPS_mode_set(1)) {
ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, APLOGNO(01884)
"Operating in SSL FIPS mode");
apr_pool_cleanup_register(p, NULL, modssl_fips_cleanup,
apr_pool_cleanup_null);
}
else {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01885) "FIPS mode failed");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
return ssl_die(s);
}
}
}
else {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01886)
"SSL FIPS mode disabled");
}
#endif
In case sc->fips is FALSE (SSLFIPS off or not set), the
FIPS_mode_set() is not called at all and the fips mode is untouched.
If I understand correctly, it can be ON as it is on my system when a
binary starts up.
Question also is, whether the FIPS mode should not stand untouched
when SSLFIPS is not specified at all (not intend to turning it off).
Perhaps even more basic concern, what is actually the purpose
(usecase) or SSLFIPS directive? In other words, in case you have a
FIPS system, why you would like to disable it in httpd?
Unfortunately I do not know much about FIPS, so perhaps I missed
something basic but important, apologize in advance :).
Bye,
Petr
--
Have a lot of fun!
Re: SSLFIPS on/off
Posted by Stefan Eissing <st...@greenbytes.de>.
> Am 21.05.2021 um 17:59 schrieb Joe Orton <jo...@redhat.com>:
>
> On Wed, May 12, 2021 at 02:25:42PM +0200, pgajdos wrote:
>> Hello,
>>
>> I have a question regarding the logic around SSLFIPS on/off. After
>> https://svn.apache.org/viewvc?view=revision&revision=1853197
>> I think SSLFIPS off will not work as expected.
> ...
>> In case sc->fips is FALSE (SSLFIPS off or not set), the
>> FIPS_mode_set() is not called at all and the fips mode is untouched.
>> If I understand correctly, it can be ON as it is on my system when a
>> binary starts up.
>
> Agreed.
>
>> Question also is, whether the FIPS mode should not stand untouched
>> when SSLFIPS is not specified at all (not intend to turning it off).
>> Perhaps even more basic concern, what is actually the purpose
>> (usecase) or SSLFIPS directive? In other words, in case you have a
>> FIPS system, why you would like to disable it in httpd?
>
> It looks to me like "SSLFIPS off" has never worked even before r1853197.
> I assume the use case was the opposite - turning on FIPS on a system
> without it enabled globally. (AFAIK my users/customers only care about
> systems where FIPS is a OS-level setting so I don't care about that use
> case either)
>
> It also looks like OpenSSL 3.0 will be removing the functions entirely:
> https://wiki.openssl.org/index.php/OpenSSL_3.0#Upgrading_from_the_OpenSSL_2.0_FIPS_Object_Module
> though I've only built against alpha16 so far and FIPS*() are still
> there.
>
> My preference would be to remove SSLFIPS from trunk mod_ssl completely.
+1
Re: SSLFIPS on/off
Posted by Joe Orton <jo...@redhat.com>.
On Wed, May 12, 2021 at 02:25:42PM +0200, pgajdos wrote:
> Hello,
>
> I have a question regarding the logic around SSLFIPS on/off. After
> https://svn.apache.org/viewvc?view=revision&revision=1853197
> I think SSLFIPS off will not work as expected.
...
> In case sc->fips is FALSE (SSLFIPS off or not set), the
> FIPS_mode_set() is not called at all and the fips mode is untouched.
> If I understand correctly, it can be ON as it is on my system when a
> binary starts up.
Agreed.
> Question also is, whether the FIPS mode should not stand untouched
> when SSLFIPS is not specified at all (not intend to turning it off).
> Perhaps even more basic concern, what is actually the purpose
> (usecase) or SSLFIPS directive? In other words, in case you have a
> FIPS system, why you would like to disable it in httpd?
It looks to me like "SSLFIPS off" has never worked even before r1853197.
I assume the use case was the opposite - turning on FIPS on a system
without it enabled globally. (AFAIK my users/customers only care about
systems where FIPS is a OS-level setting so I don't care about that use
case either)
It also looks like OpenSSL 3.0 will be removing the functions entirely:
https://wiki.openssl.org/index.php/OpenSSL_3.0#Upgrading_from_the_OpenSSL_2.0_FIPS_Object_Module
though I've only built against alpha16 so far and FIPS*() are still
there.
My preference would be to remove SSLFIPS from trunk mod_ssl completely.
Regards, Joe