httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Krist van Besien <krist.vanbes...@gmail.com>
Subject Re: [users@httpd] FIPS 140_2 compliant for mod_proxy?
Date Wed, 03 Mar 2010 10:34:01 GMT
On Tue, Mar 2, 2010 at 2:39 PM, Mike Trent <Michael.Trent@xerox.com> wrote:

> There is a patch that turns on FIPS mode in mod_ssl (listed in my last post)
> We can run apache as a server for HTTPS (SSL) in FIPS mode. However when
> communicating over HTTPS (SSL) via mod_proxy - mod_ssl is not running FIPS
> mode. This can be verified by running a line trace and seeing that the TLS
> handshaking client HELLO packet presents a cipher suite that includes non
> FIPS compliant algorithms (RC4 for example).
>
> While running in server mode (not using mod_proxy) FIPS is enabled properly.
> This can be seen in the TLS server HELLO which presents only FIPS compliant
> algorithms such as 3DES.
>
> i.e.
> SSL - as a server -FIPS compliant

I would love to help you, but I need more information from you in
order to do so. I have trouble finding out what it is exactly that you
are trying to achieve, and in what way, because the context fail.
Precise language us usefull. I have trouble trying to imagine what you
mean with "running in proxy mode" and "via mod_proxy". That is where
the exact language of a config file helps.
So please, just post us the SSL part of your config, and we may be
able to point out to you what you need to modify.

> SSL - as a client via mod_proxy - not FIPS compliant

Are you saying that apache is here acting as an SSL client in an non -
FIPS compliant way? ie. apache is here used by you as a proxy that
forwards towards an https server? In that case have a look at the
SSLProxy* directives.

Krist

-- 
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message