httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Fenlason, Josh" <>
Subject RE: Apache2 FIPS Certified?
Date Fri, 12 Aug 2005 13:24:31 GMT
Thanks for the info.

> -----Original Message-----
> From: William A. Rowe, Jr. [] 
> Sent: Thursday, August 11, 2005 6:44 PM
> To:
> Cc:
> Subject: Re: Apache2 FIPS Certified?
> Plenty.  First, OpenSSL is -not- FIPS certified.  It's in
> the certification under test (CUT) phase, and no word of 
> exactly what will come of that phase.  Second, you would have 
> to enable OpenSSL's fips-only mode, and stop using all 
> prohibited entropy, hashing and crypto.
> The http project has a little side-repository Ben and I have 
> been working on which will throw these flags appropriately, 
> and replace some components of httpd and apr.  I'd point you 
> at it, but the caveat remains that you still won't have any 
> fips web server after all your effort.  Not until OpenSSL has 
> completed the process.
> FWIW, any designation of "FIPS certification pending" happens 
> to be expressly prohibited by the FIPS requirements 
> themselves, so it's not possible to proactively provide a 
> solution with any claims whatsoever.
> Ben and I started this sandbox as a proof of concept to 
> determine what needed to change in apr, httpd, etc, and it's 
> very likely that those features will become part of httpd 
> after the certification process is complete.  If you want to 
> take a look at our unreleased efforts, that repository is in
> Bill
> At 03:59 PM 8/11/2005, Fenlason, Josh wrote:
> >Would anyone be able to tell me if Apache2 is FIPS certified?  If I 
> >build OpenSSL with the FIPS flag, is there anything else I 
> have to do 
> >when building Apache with OpenSSL?  Thanks. , Josh.

View raw message