httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff McAdams <>
Subject Re: [users@httpd] Is Apache2.2 FIPS compliant?
Date Sat, 12 Jan 2008 15:08:12 GMT
Victor Trac wrote:
> On Jan 12, 2008 3:34 PM, robingandhi21 <> wrote:
>> Please let me know if anybody have any idea of Apache2.2 being FIPS
>> compliant?

> FIPS deals with encryption standards, not http service.  Certain
> versions of OpenSSL are FIPS compliant, so as long as you use a
> certified version of OpenSSL in Apache, I suppose you are compliant.

That's not completely true.

There is some requirement that the apps that use the cryptographic
modules use them in "the right way".  So its not just a matter of
slapping a certified OpenSSL in there.  Alas, I don't know specifics of
what "the right way" consists of...the office of our security-focused
guy that really knows this stuff shares a wall with mine, but its not
me, so I'm not up on all the specifics.
Jeff McAdams
"They that can give up essential liberty to obtain a
little temporary safety deserve neither liberty nor safety."
                                       -- Benjamin Franklin

View raw message