httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hammer, Tim" <Tim.Ham...@xerox.com>
Subject Trying to understand FIPS mode status in mod_ssl
Date Mon, 13 Oct 2008 17:10:23 GMT
My search has identified that:
 
  -  OpenSSL FIPS Object Model 1.1 is compatible with OpenSSL v0.9.7,
v0.9.7m & above and was validated against FIPS 140-2 by 11/16/07 and
that OpenSSL FIPS Object Model 1.2 validation was "pending" and would be
compatible with an "as yet unreleased OpenSSL v0.9..8"
    (OpenSSL FIPS FAQ- 11/16/07;
http://www.oss-institute.org/fips-faq.html)
 
  - on 2/6/08, Object Module v1.1.2 was validated (removing a
vulnerabilty in OM v1.1.1)
 
(http://www.oss-institute.org/index.php?option=com_content&task=view&id=
264&Itemid=160)
 
 
  - in an OSSI announcement about the OpenCrypto Management Program they
stated that Phase I was complete and Phase II was underway. (no version
number was given for the Object Model that was validated in Phase I, but
the implication is that 1.1 was validated and 1.2 is still not
validated?)
    There was also a paragraph for each of several major projects using
OpenSSL; Apache httpd 2.x mod_ssl was identified as not currently
supporting FIPS mode.
 
(http://www.oss-institute.org/index.php?option=com_content&task=view&id=
215&Itemid=160)
 
 
  - back in 2005, there was a branch in the Apache httpd repository for
fips-dev. According to the README, Ben Laurie & Will Rowe were working
on this. I found no indications that this work was completed and/or
moved into the trunk. I cannot find the branch in the repository now.
 
 
  - last November, there was an enhancement record filed in the AFS
Bugzilla with a patch for "OpenSSL autoconfig support for mod_ssl". My
simplistic interpretation of the description is that this could enable
FIPS mode via a configuration file.
    (https://issues.apache.org/bugzilla/show_bug.cgi?id=43931)
 
 
I found several postings to mail lists and discussion lists asking about
FIPS support in Apache httpd from earlier this year. Unfortunately,
there were no responses that I could find.
 
Is anyone currently working with OSSI to support FIPS mode in Apache
httpd 2.x? Has anyone looked at or applied the patch provided in 43931?
Does that patch provide everything needed to enable FIPS mode from
mod_ssl, or are additional code changes needed?
 
Thanks!
.Tim 

Tim D. Hammer
Software Developer
Xerox Office Group
Xerox Corporation
M/S 0801-80A
1350 Jefferson Road
Rochester, NY 14623

Phone: 585/427-1684
Fax:      585/427-3404
Mail:     Tim.Hammer@xerox.com <mailto:Tim.Hammer@xerox.com> 


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message