tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Tomcat, OpenSSL and FIPS
Date Mon, 31 Jan 2011 20:47:36 GMT

On 1/31/2011 1:57 PM, William A. Rowe Jr. wrote:
> On 1/30/2011 8:20 AM, Christopher Schultz wrote:
>> Chris,
>> On 1/27/2011 3:54 PM, Chris Beckey wrote:
>>> Chris,
>>>   To set some context, I posted on the tomcat users list serve a question about
running OpenSSL in FIPS mode under Tomcat.
>>>   The last communication was that you may investigate an enhancement.
>>>   Since then, one of my co-workers took on the C coding side and I took on the
Java side.  I believe that we have it running now but I still have testing to complete before
I'd call it stable
>>>   As you may know the FIPS compliant version of OpenSSL is not the current version.
 What we have running is:
>>>   Tomcat V 6.0.20
>>>   OpenSSL FIPS module V 1.2.2
>>>   Open SSL V 0.9.6q
>>>   tcnative V 1.1.20
>>>   APR V 1.4.2
>>>   I have found that the versions used are critical, these were the newest versions
of the libraries I could get to work together, with the exception of Tomcat itself.   Usage
of 6.0.20 is simply because that is what our application is to be released on.
>>>   Anyway, the point of this email is to inquire whether you would like the code
for integration back into the code base?  I also have a fairly detailed list of steps used
to do the build(s).
> Note this isn't enough, if you did not call FIPS_mode_set(), you aren't running
> FIPS validated code.

I'm pretty sure he's calling it: In the past, I asked if simply using
FIPS-approved ciphers were sufficient and he said "no". This is why
there is a patch coming hopefully in the near future. Note that (the
other) Chris is probably not subscribed to the list.

Feel free to watch this bug for updates:

> The nice way to do this would be to enhance tcnative to
> accept a global config value (not connector-by-connector) to trigger the
> FIPS_mode_set() at startup, and ensure there is enough error reporting back to
> the tomcat initialization code to inform the user of the reason for failure,
> when and if that call is rejected.

That's pretty much what will be required, since FIPS mode appears to be
per process and cannot be set per socket.


View raw message