httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: Apache2 FIPS Certified?
Date Thu, 11 Aug 2005 23:43:58 GMT
Plenty.  First, OpenSSL is -not- FIPS certified.  It's in
the certification under test (CUT) phase, and no word of
exactly what will come of that phase.  Second, you would
have to enable OpenSSL's fips-only mode, and stop using
all prohibited entropy, hashing and crypto.

The http project has a little side-repository Ben and I have
been working on which will throw these flags appropriately,
and replace some components of httpd and apr.  I'd point you
at it, but the caveat remains that you still won't have any
fips web server after all your effort.  Not until OpenSSL
has completed the process.

FWIW, any designation of "FIPS certification pending" happens
to be expressly prohibited by the FIPS requirements themselves,
so it's not possible to proactively provide a solution with
any claims whatsoever.

Ben and I started this sandbox as a proof of concept to 
determine what needed to change in apr, httpd, etc, and it's
very likely that those features will become part of httpd after
the certification process is complete.  If you want to take a
look at our unreleased efforts, that repository is in


At 03:59 PM 8/11/2005, Fenlason, Josh wrote:
>Would anyone be able to tell me if Apache2 is FIPS certified?  If I build OpenSSL with
the FIPS flag, is there anything else I have to do when building Apache with OpenSSL?  Thanks.

View raw message