tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Beckey <>
Subject Re: FIPS mode OpenSSL under Tomcat 6.0
Date Thu, 13 Jan 2011 16:45:27 GMT
Thanks for your help Chris.

Unfortunately this is a non-negotiable issue with the client, I have to run
in FIPS mode.

Yes, I would be willing to test the addition of a FIPS mode switch to
Tomcat.  The other option is for myself to make the change.  It has been a
while since I touched JNI so it would probably be much faster for you to
make the change.

What I found on running JSSE are the following links:
the following quote comes from
"*FIPS 140 compliance for SunJSSE*

   - The SunJSSE provider now supports an experimental FIPS 140 compliant
   mode. When enabled and used in combination with the SunPKCS11 provider and
   an appropriate FIPS 140 certified PKCS#11 token, SunJSSE is FIPS 140
   compliant. For details, see the JSSE Reference

On 1/7/2011 4:24 PM, Chris Beckey wrote:
> I need to run a FIPS 140-2 certified SSL/TLS implementation under
> Tomcat 6.0.20.  I have OpenSSL configured and running but I cannot
> find a way to set FIPS mode in OpenSSL.

I don't think there's any way to configure OpenSSL via Tomcat other than
to specify the ciphers that OpenSSL will use for SSL.

> From the OpenSSL
> documentation it should be as simple as making a call to
> FIPS_mode_set(), probably from within the AprLifecycleListener but I
> can't find a configuration option nor any indication that
> FIPS_mode_set() method is visible in the tcnative library or JNI
> wrapper.

I can't find the string "fips" (case-insensitive) anywhere in the
tomcat-native code, so it must not be exposed.

> Question is, has anyone run OpenSSL under Tomcat in FIPS
> mode? Any help would be appreciated.

If you know the ciphers allowed by FIPS, you can just specify them in
your <Connector> configuration. Is that acceptable, or do you absolutely
need to have FIPS mode set? (I understand these things are sometimes

It doesn't look like it would be a big deal to add some code to allow
FIPS mode via the APR connector with OpenSSL. Would you be willing to
test some of that code?

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message