You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by robingandhi21 <ro...@gmail.com> on 2008/01/12 15:34:28 UTC
[users@httpd] Is Apache2.2 FIPS compliant?
Please let me know if anybody have any idea of Apache2.2 being FIPS
compliant?
Thanks in advance
Robin Gandhi
--
View this message in context: http://www.nabble.com/Is-Apache2.2-FIPS-compliant--tp14774125p14774125.html
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Is Apache2.2 FIPS compliant?
Posted by Joshua Slive <jo...@slive.ca>.
On Jan 12, 2008 10:08 AM, Jeff McAdams <je...@iglou.com> wrote:
> Victor Trac wrote:
> > On Jan 12, 2008 3:34 PM, robingandhi21 <ro...@gmail.com> wrote:
> >> Please let me know if anybody have any idea of Apache2.2 being FIPS
> >> compliant?
>
> > FIPS deals with encryption standards, not http service. Certain
> > versions of OpenSSL are FIPS compliant, so as long as you use a
> > certified version of OpenSSL in Apache, I suppose you are compliant.
>
> That's not completely true.
>
> There is some requirement that the apps that use the cryptographic
> modules use them in "the right way". So its not just a matter of
> slapping a certified OpenSSL in there. Alas, I don't know specifics of
> what "the right way" consists of...the office of our security-focused
> guy that really knows this stuff shares a wall with mine, but its not
> me, so I'm not up on all the specifics.
There were people working on a certified Apache httpd + OpenSSL. I'm
not sure what the result was, but searching the archives of the
dev@httpd.apache.org list for FIPS will surely turn up something
useful.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Is Apache2.2 FIPS compliant?
Posted by Jeff McAdams <je...@iglou.com>.
Victor Trac wrote:
> On Jan 12, 2008 3:34 PM, robingandhi21 <ro...@gmail.com> wrote:
>> Please let me know if anybody have any idea of Apache2.2 being FIPS
>> compliant?
> FIPS deals with encryption standards, not http service. Certain
> versions of OpenSSL are FIPS compliant, so as long as you use a
> certified version of OpenSSL in Apache, I suppose you are compliant.
That's not completely true.
There is some requirement that the apps that use the cryptographic
modules use them in "the right way". So its not just a matter of
slapping a certified OpenSSL in there. Alas, I don't know specifics of
what "the right way" consists of...the office of our security-focused
guy that really knows this stuff shares a wall with mine, but its not
me, so I'm not up on all the specifics.
--
Jeff McAdams
"They that can give up essential liberty to obtain a
little temporary safety deserve neither liberty nor safety."
-- Benjamin Franklin
Re: [users@httpd] Is Apache2.2 FIPS compliant?
Posted by Victor Trac <vi...@gmail.com>.
On Jan 12, 2008 3:34 PM, robingandhi21 <ro...@gmail.com> wrote:
>
> Please let me know if anybody have any idea of Apache2.2 being FIPS
> compliant?
>
FIPS deals with encryption standards, not http service. Certain
versions of OpenSSL are FIPS compliant, so as long as you use a
certified version of OpenSSL in Apache, I suppose you are compliant.
--Victor
--
http://www.victortrac.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Is Apache2.2 FIPS compliant?
Posted by Sander Temme <sc...@apache.org>.
Robin,
On Jan 12, 2008, at 6:34 AM, robingandhi21 wrote:
> Please let me know if anybody have any idea of Apache2.2 being FIPS
> compliant?
By itself, no. Apache does not do anything special for key management
or access control to key material. However, Apache can use a FIPS 140
certified Hardware Security Module like nCipher's nShield card and use
keys protected by its Security World. This will make you FIPS 140-2
Level 2 or 3 compliant.
Note: I work for nCipher. Let me know if you'd like more information
about using hardware-protected keys.
Sander
--
Sander Temme
sctemme@apache.org
PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF