Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Developers List" <dev@tomcat.apache.org>
Received-SPF: neutral (nike.apache.org: local policy)
Message-ID: <4D471FE8.7020503@christopherschultz.net>
Date: Mon, 31 Jan 2011 15:47:36 -0500
From: Christopher Schultz <chris@christopherschultz.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US;
 rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7
MIME-Version: 1.0
To: Tomcat Developers List <dev@tomcat.apache.org>
Subject: Re: Tomcat, OpenSSL and FIPS
References: <7C31B49A-1C47-4CB4-BCEE-FECB4F1A0A99@gmail.com>
 <4D4573A7.5020600@christopherschultz.net> <4D470605.6020504@rowe-clan.net>
In-Reply-To: <4D470605.6020504@rowe-clan.net>
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="------------enigB8C10749B87BEF884FF310CB"

--------------enigB8C10749B87BEF884FF310CB
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

William,

On 1/31/2011 1:57 PM, William A. Rowe Jr. wrote:
> On 1/30/2011 8:20 AM, Christopher Schultz wrote:
>> Chris,
>>
>> On 1/27/2011 3:54 PM, Chris Beckey wrote:
>>> Chris,
>>>   To set some context, I posted on the tomcat users list serve a ques=
tion about running OpenSSL in FIPS mode under Tomcat.
>>>   The last communication was that you may investigate an enhancement.=

>>>   Since then, one of my co-workers took on the C coding side and I to=
ok on the Java side.  I believe that we have it running now but I still h=
ave testing to complete before I'd call it stable
>>>   As you may know the FIPS compliant version of OpenSSL is not the cu=
rrent version.  What we have running is:
>>>   Tomcat V 6.0.20
>>>   OpenSSL FIPS module V 1.2.2
>>>   Open SSL V 0.9.6q
>>>   tcnative V 1.1.20
>>>   APR V 1.4.2
>>>   I have found that the versions used are critical, these were the ne=
west versions of the libraries I could get to work together, with the exc=
eption of Tomcat itself.   Usage of 6.0.20 is simply because that is what=
 our application is to be released on.
>>>   Anyway, the point of this email is to inquire whether you would lik=
e the code for integration back into the code base?  I also have a fairly=
 detailed list of steps used to do the build(s).
>=20
> Note this isn't enough, if you did not call FIPS_mode_set(), you aren't=
 running
> FIPS validated code.

I'm pretty sure he's calling it: In the past, I asked if simply using
FIPS-approved ciphers were sufficient and he said "no". This is why
there is a patch coming hopefully in the near future. Note that (the
other) Chris is probably not subscribed to the list.

Feel free to watch this bug for updates:
https://issues.apache.org/bugzilla/show_bug.cgi?id=3D50570

> The nice way to do this would be to enhance tcnative to
> accept a global config value (not connector-by-connector) to trigger th=
e
> FIPS_mode_set() at startup, and ensure there is enough error reporting =
back to
> the tomcat initialization code to inform the user of the reason for fai=
lure,
> when and if that call is rejected.

That's pretty much what will be required, since FIPS mode appears to be
per process and cannot be set per socket.

-chris


--------------enigB8C10749B87BEF884FF310CB
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1HH+sACgkQ9CaO5/Lv0PB5yACgkCf8zZzoTDWZ9saqvlqBmyYg
uLcAnirvRUiwnNII/eKp8nT1l5pbxCoA
=/L3c
-----END PGP SIGNATURE-----

--------------enigB8C10749B87BEF884FF310CB--