httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject Re: [users@httpd] How to build Apache with FIPS mode capable?
Date Wed, 10 Feb 2016 23:11:40 GMT
Hi,

On Wed, Feb 10, 2016 at 11:14 PM, Christopher Schultz
<chris@christopherschultz.net> wrote:
>
> To those down and dirty with httpd: is there a reason not to
> UNCONDITIONALLY build against OpenSSL's FIPS_mode_set? If the library
> doesn't support FIPS mode, it will complain about it and refuse to
> enter FIPS mode. The httpd code already handles this in
> mobules/ssl/ssl_engine_init.c:
>
>> #ifdef HAVE_FIPS if(sc->fips) { if (!FIPS_mode()) { if
>> (FIPS_mode_set(1)) { ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s,
>> APLOGNO(01884) "Operating in SSL FIPS mode"); } else {
>> ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01885) "FIPS
>> mode failed"); ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
>> return ssl_die(s); } } } else { ap_log_error(APLOG_MARK,
>> APLOG_DEBUG, 0, s, APLOGNO(01886) "SSL FIPS mode disabled"); }
>> #endif
>
> I don't see a compelling reason to have all the #ifdef HAVE_FIPS
> conditionals all over the place.

OPENSSL_FIPS is something defined by OpenSSL when FIPS has been ./config-ured.
Apache httpd should be run against an OpenSSL version ABI-compatible
with the one it was compiled with, whereas FIPS vs non-FIPS OpenSSLs
are possibly not ABI-compatible...

Regards,
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message