tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: FIPS compliancy on Tomcat 7.00.062
Date Sat, 08 Aug 2015 12:19:05 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Nikitha,

On 8/5/15 6:52 AM, Nikitha Benny wrote:
> Thank you for your valuable suggestion.
> 
> I just ran the openssl s_client scan, and it looks like the server
> side is running fine on *TLSv1.2* Protocol.
> 
> [root]## *openssl s_client -connect 16.183.93.84:8444 
> <http://16.183.93.84:8444>* CONNECTED(00000003) - - -  - -  - - - -
> -  - -  - - - - -  - -  - - - - -  - -  - -
> 
> 9ICKPG6kxtrZMUUnb/RgYH0FEqAWxvAbj08ZtJXHoGyRAmFcLKUtQBw8wifqXjYP 
> dok1aLR6ZwG+iD+urs1SLFyUmENSywwZtrKpgorQR+LRtC77E3gyNSmJP+i02SpC 
> Dwt/kR6w4FmSD+k3+RJik2+SabfTbE1F2Iho/XLFyU0SwKEhi54pdYohuuEfFwnU 
> d/A4 -----END CERTIFICATE----- subject=/C=US/ST=California/L=Palo
> Alto/O=Hewlett-Packard/OU=OpenView/CN= 
> IWFVM01284.hpswlabs.adapps.hp.com issuer=/C=US/ST=California/L=Palo
> Alto/O=Hewlett-Packard/OU=OpenView/CN= 
> IWFVM01284.hpswlabs.adapps.hp.com --- No client certificate CA
> names sent --- SSL handshake has read 1476 bytes and written 7
> bytes --- New, (NONE), Cipher is (NONE) Server public key is 2048
> bit Secure Renegotiation IS supported Compression: NONE Expansion:
> NONE SSL-Session: Protocol  : *TLSv1.2* Cipher    : 0000 
> Session-ID: 
> 55C1E8659A3AEABEA2844E153BB8BF666936B6EC38C5777B60202AF0712E5377 
> Session-ID-ctx: Master-Key: Key-Arg   : None Krb5 Principal: None 
> PSK identity: None PSK identity hint: None Start Time: 1438771286 
> Timeout   : 300 (sec) Verify return code: 18 (self signed
> certificate)
> 
> So could it be an issue with the browser? Since the browser is not
> FIPS compliant, could it be the reason for the issue?

FIPS compliance is really nothing more than using a certified set of
ciphers, and having the crypto module self-verify when it initializes
to ensure that it has not been tampered with.

So a FIPS-certified stack connecting to a non-FIPS-certified stack is
no difference than FIPS-to-FIPS or FIPSless-to-FIPS-less. It will work
whether FIPS compliance is met on either side of the connection or not.

IIRC (I haven't read the requirements recently), every truly
FIPS-compliant environment is currently vulnerable because FIPS
requires the support of known vulnerable protocols such as SSL3 as
well as a few required ciphers that were intentionally weakened by the
NSA.

If you want to be FIPS-compliant, I suggest that you be "nominally"
FIPS compliant and disable all of the bad stuff FIPS requires, yet
adhere to the rest of the requirements.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVxfO5AAoJEBzwKT+lPKRYzTEP/iw+wygF9J/Jn4Zi/0793Npu
bWdyWJoIrArjZ1d0qcnOsyQ4r4l94DU0MGHDeVijTk4iGhQyCnx5I9jT9qGpuQj6
DuC3VCBOkxceEJ1DLdtHkeQ/njkk4hdwnGarQ6Mt4MPhNee5zX3PFhC+vR9VTzBE
3nCcTKENciH4s5niJ+cA2i5EctLdOedyrVDRIaUuM7WDt0jDcRlAjUsBdwF1yf1M
hY+hSIQzaLgMP79cXGrA3G5GC5U1MGesJR0gwjJdS/xpziP97XbcDrL6IVPbTWJ2
TrgNqyHsOvLXvPh3qOG5rdO2NDOS4SkCktWfX9nAV1pb4Jpc6hRS4o58tPkXHgsp
d1/4/NxvxiFIa5zGUHgckBQQa/55x5+aa2LPUcVVBW4UPOjaxHRrDjaFGYhFB1Z9
isVRVHqY+cQZBn8agGfiTLduRnvE8+7vMCP/2GmXHdepLmWKbhoJ7AsBDMB6dwWT
/BgS7fEa29GHmcV1R4UMkCpiBbO9J6XAVAdLohXZ8o62E4Fxu2U3uDZumPPBOqUU
mi0s5SYVXlPfoj7/tuudm7Z9vgk4OW9SAHoUvPNpMP8pY32WkgWVADGMntykdPRs
csZhL+9jl9yaSEePFxXv89wHb/KxbP0H3C3kUu/nXRAkrcIbd+bFP99M2Nc7dPm7
fw5lT3gPUmkN1fKjVsV6
=DbB8
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message