tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: FIPS mode OpenSSL under Tomcat 6.0
Date Tue, 11 Jan 2011 17:18:29 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris,

On 1/7/2011 4:24 PM, Chris Beckey wrote:
> I need to run a FIPS 140-2 certified SSL/TLS implementation under
> Tomcat 6.0.20.  I have OpenSSL configured and running but I cannot
> find a way to set FIPS mode in OpenSSL.

I don't think there's any way to configure OpenSSL via Tomcat other than
to specify the ciphers that OpenSSL will use for SSL.

> From the OpenSSL
> documentation it should be as simple as making a call to
> FIPS_mode_set(), probably from within the AprLifecycleListener but I
> can't find a configuration option nor any indication that
> FIPS_mode_set() method is visible in the tcnative library or JNI
> wrapper.

I can't find the string "fips" (case-insensitive) anywhere in the
tomcat-native code, so it must not be exposed.

> Question is, has anyone run OpenSSL under Tomcat in FIPS
> mode? Any help would be appreciated.

If you know the ciphers allowed by FIPS, you can just specify them in
your <Connector> configuration. Is that acceptable, or do you absolutely
need to have FIPS mode set? (I understand these things are sometimes
non-negotiable).

It doesn't look like it would be a big deal to add some code to allow
FIPS mode via the APR connector with OpenSSL. Would you be willing to
test some of that code?

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk0skOUACgkQ9CaO5/Lv0PDhHACfXKvxsXyow99+flTQbLyXO0Du
yS0AoJYy+kEzl1bylVNff7IyO52zjesa
=9VrF
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message