tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Tomcat, OpenSSL and FIPS
Date Mon, 31 Jan 2011 20:47:36 GMT
William,

On 1/31/2011 1:57 PM, William A. Rowe Jr. wrote:
> On 1/30/2011 8:20 AM, Christopher Schultz wrote:
>> Chris,
>>
>> On 1/27/2011 3:54 PM, Chris Beckey wrote:
>>> Chris,
>>>   To set some context, I posted on the tomcat users list serve a question about
running OpenSSL in FIPS mode under Tomcat.
>>>   The last communication was that you may investigate an enhancement.
>>>   Since then, one of my co-workers took on the C coding side and I took on the
Java side.  I believe that we have it running now but I still have testing to complete before
I'd call it stable
>>>   As you may know the FIPS compliant version of OpenSSL is not the current version.
 What we have running is:
>>>   Tomcat V 6.0.20
>>>   OpenSSL FIPS module V 1.2.2
>>>   Open SSL V 0.9.6q
>>>   tcnative V 1.1.20
>>>   APR V 1.4.2
>>>   I have found that the versions used are critical, these were the newest versions
of the libraries I could get to work together, with the exception of Tomcat itself.   Usage
of 6.0.20 is simply because that is what our application is to be released on.
>>>   Anyway, the point of this email is to inquire whether you would like the code
for integration back into the code base?  I also have a fairly detailed list of steps used
to do the build(s).
> 
> Note this isn't enough, if you did not call FIPS_mode_set(), you aren't running
> FIPS validated code.

I'm pretty sure he's calling it: In the past, I asked if simply using
FIPS-approved ciphers were sufficient and he said "no". This is why
there is a patch coming hopefully in the near future. Note that (the
other) Chris is probably not subscribed to the list.

Feel free to watch this bug for updates:
https://issues.apache.org/bugzilla/show_bug.cgi?id=50570

> The nice way to do this would be to enhance tcnative to
> accept a global config value (not connector-by-connector) to trigger the
> FIPS_mode_set() at startup, and ensure there is enough error reporting back to
> the tomcat initialization code to inform the user of the reason for failure,
> when and if that call is rejected.

That's pretty much what will be required, since FIPS mode appears to be
per process and cannot be set per socket.

-chris


Mime
View raw message