httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Fenlason, Josh" <jfenla...@ptc.com>
Subject RE: Apache2 FIPS Certified?
Date Fri, 12 Aug 2005 13:24:31 GMT
Thanks for the info.
,
Josh.

> -----Original Message-----
> From: William A. Rowe, Jr. [mailto:wrowe@rowe-clan.net] 
> Sent: Thursday, August 11, 2005 6:44 PM
> To: dev@httpd.apache.org
> Cc: dev@httpd.apache.org
> Subject: Re: Apache2 FIPS Certified?
> 
> 
> Plenty.  First, OpenSSL is -not- FIPS certified.  It's in
> the certification under test (CUT) phase, and no word of 
> exactly what will come of that phase.  Second, you would have 
> to enable OpenSSL's fips-only mode, and stop using all 
> prohibited entropy, hashing and crypto.
> 
> The http project has a little side-repository Ben and I have 
> been working on which will throw these flags appropriately, 
> and replace some components of httpd and apr.  I'd point you 
> at it, but the caveat remains that you still won't have any 
> fips web server after all your effort.  Not until OpenSSL has 
> completed the process.
> 
> FWIW, any designation of "FIPS certification pending" happens 
> to be expressly prohibited by the FIPS requirements 
> themselves, so it's not possible to proactively provide a 
> solution with any claims whatsoever.
> 
> Ben and I started this sandbox as a proof of concept to 
> determine what needed to change in apr, httpd, etc, and it's 
> very likely that those features will become part of httpd 
> after the certification process is complete.  If you want to 
> take a look at our unreleased efforts, that repository is in
> 
>   http://svn.apache.org/repos/asf/httpd/httpd/branches/fips-dev/
> 
> Bill
> 
> At 03:59 PM 8/11/2005, Fenlason, Josh wrote:
> >Would anyone be able to tell me if Apache2 is FIPS certified?  If I 
> >build OpenSSL with the FIPS flag, is there anything else I 
> have to do 
> >when building Apache with OpenSSL?  Thanks. , Josh.
> 
> 

Mime
View raw message