You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2008/11/23 14:48:52 UTC
DO NOT REPLY [Bug 46270] New: Add FIPS 140-2 mode for mod_ssl for
FIPS 1.2 module.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46270
Summary: Add FIPS 140-2 mode for mod_ssl for FIPS 1.2 module.
Product: Apache httpd-2
Version: 2.3-HEAD
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P2
Component: mod_ssl
AssignedTo: bugs@httpd.apache.org
ReportedBy: steve@openssl.org
Created an attachment (id=22917)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=22917)
Add SSLFIPS option.
This patch adds FIPS 140-2 support for mod_ssl when used with the newly
validated 1.2 OpenSSL FIPS module.
A single boolean option SSLFIPS is added. When set FIPS 140-2 mode is enabled.
Note that this option by itself does not guarantee FIPS 140-2 compliance, the
security policy must also be adhered to.
This option is only available if Apache is compiled against an appropriate
version of OpenSSL which has been linked to the validated module. Currently
only OpenSSL 0.9.8-stable snapshots include the necessary functionality.
OpenSSL 0.9.8j will be the first official release.
Typically compiling against appropriate headers and linking to an FIPS capable
shared library will be required.
This option disables generation of temporary keys smaller than 1024 bits
because keys smaller than 1024 bits are prohibited in FIPS mode.
If compiled against a non-FIPS capable OpenSSL or when the SSLFIPS option is
not set it will have no effect.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 46270] Add FIPS 140-2 mode for mod_ssl for FIPS
1.2 module.
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46270
--- Comment #2 from Dr Stephen Henson <st...@openssl.org> 2008-11-23 15:24:08 PST ---
(In reply to comment #1)
>
> Do you object if this became a compile-time flag?
>
No don't mind at all. There have been a few changes in the latest validation.
The PRNG reseeding is no longer necessary. You can also link to FIPS capable
shared libraries and it all works OK.
Static libraries need modifications to the build procedure.
The 1024 bit key restriction is a new requirement though.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 46270] Add FIPS 140-2 mode for mod_ssl for FIPS
1.2 module.
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46270
--- Comment #4 from William A. Rowe Jr. <wr...@apache.org> 2010-05-10 14:11:23 EDT ---
After further study, a run time flag made sense. Committed to trunk, proposed
for backport, one issue remains;
I'd further modified this patch to indicate when fips mode is or is not in
operation, some people have complained about the volume of this log message.
I'm considering making this loglevel Info, but suppress the log message when
the user explicitly configures SSLFIPS off. Does this make sense?
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 46270] Add FIPS 140-2 mode for mod_ssl for FIPS
1.2 module.
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46270
--- Comment #3 from Dr Stephen Henson <st...@openssl.org> 2008-11-24 10:55:43 PST ---
(In reply to comment #1)
> Steve...
>
> when Ben and I each worked on this initially, we came to the conclusion that
> httpd+mod_ssl should either be compiled to fips-140 binaries, with all of the
> encumberances that places on the implementation, or compiled to the flexibility
> that non-fips offers.
>
> Do you object if this became a compile-time flag?
>
Had a bit of feedback on this.
Adding a compile-time flag is OK.
However making it always-on is likely to cause problems with distros needing to
have two binaries. I'd prefer the configuration option is kept too so the same
binary can work as FIPS and non-FIPS.
The encumberances in the 1.2 FIPS module are rather less than those in the
original. Now an application can just link against shared libraries, which
otherwise behave in exactly the same way as OpenSSL 0.9.8.
In 1.0 and 1.1 shared libraries were not supported and you had to use a special
static only link procedure.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 46270] Add FIPS 140-2 mode for mod_ssl for FIPS
1.2 module.
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46270
--- Comment #1 from Will Rowe <wr...@apache.org> 2008-11-23 13:23:25 PST ---
Steve...
when Ben and I each worked on this initially, we came to the conclusion that
httpd+mod_ssl should either be compiled to fips-140 binaries, with all of the
encumberances that places on the implementation, or compiled to the flexibility
that non-fips offers.
Do you object if this became a compile-time flag?
p.s. I plan to spend a bit of my holiday weekends over this next 6 weeks
getting
all of these patches into trunk.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org