httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject Re: [users@httpd] Is Apache2.2 FIPS compliant?
Date Sat, 12 Jan 2008 15:37:48 GMT
On Jan 12, 2008 10:08 AM, Jeff McAdams <jeffm@iglou.com> wrote:
> Victor Trac wrote:
> > On Jan 12, 2008 3:34 PM, robingandhi21 <robingandhi21@gmail.com> wrote:
> >> Please let me know if anybody have any idea of Apache2.2 being FIPS
> >> compliant?
>
> > FIPS deals with encryption standards, not http service.  Certain
> > versions of OpenSSL are FIPS compliant, so as long as you use a
> > certified version of OpenSSL in Apache, I suppose you are compliant.
>
> That's not completely true.
>
> There is some requirement that the apps that use the cryptographic
> modules use them in "the right way".  So its not just a matter of
> slapping a certified OpenSSL in there.  Alas, I don't know specifics of
> what "the right way" consists of...the office of our security-focused
> guy that really knows this stuff shares a wall with mine, but its not
> me, so I'm not up on all the specifics.

There were people working on a certified Apache httpd + OpenSSL. I'm
not sure what the result was, but searching the archives of the
dev@httpd.apache.org list for FIPS will surely turn up something
useful.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message