Return-Path: 
 <users-return-254376-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-users-archive@www.apache.org
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 1CA0818F05
	for <apmail-tomcat-users-archive@www.apache.org>;
 Sat,  8 Aug 2015 12:19:27 +0000 (UTC)
Received: (qmail 84788 invoked by uid 500); 8 Aug 2015 12:19:23 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 84711 invoked by uid 500); 8 Aug 2015 12:19:23 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 84700 invoked by uid 99); 8 Aug 2015 12:19:23 -0000
Received: from Unknown (HELO spamd4-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 08 Aug 2015 12:19:23 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org)
 with ESMTP id 0BF08C0484
	for <users@tomcat.apache.org>; Sat,  8 Aug 2015 12:19:23 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 3.003
X-Spam-Level: ***
X-Spam-Status: No, score=3.003 tagged_above=-999 required=6.31
	tests=[KAM_BADIPHTTP=2, KAM_LAZY_DOMAIN_SECURITY=1,
	NORMAL_HTTP_TO_IP=0.001, URIBL_BLOCKED=0.001, WEIRD_PORT=0.001]
	autolearn=disabled
Received: from mx1-us-west.apache.org ([10.40.0.8])
	by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new,
 port 10024)
	with ESMTP id TfigsCuqt9s9 for <users@tomcat.apache.org>;
	Sat,  8 Aug 2015 12:19:13 +0000 (UTC)
Received: from vms173019pub.verizon.net (vms173019pub.verizon.net
 [206.46.173.19])
	by mx1-us-west.apache.org (ASF Mail Server at mx1-us-west.apache.org) with
 ESMTPS id 0EA042055B
	for <users@tomcat.apache.org>; Sat,  8 Aug 2015 12:19:12 +0000 (UTC)
Received: from Christophers-MacBook-Pro.local ([73.159.89.85])
 by vms173019.mailsrvcs.net
 (Oracle Communications Messaging Server 7.0.5.32.0 64bit (built Jul 16 2014))
 with ESMTPA id <0NSR00FVSJJTBM80@vms173019.mailsrvcs.net> for
 users@tomcat.apache.org; Sat, 08 Aug 2015 07:19:06 -0500 (CDT)
X-CMAE-Score: 0
X-CMAE-Analysis: v=2.1 cv=EdU1O6SC c=1 sm=1
 tr=0	a=qcI+2vJTIhoX0UuolQJsuA==:117
 a=-57I09spAAAA:8 a=oR5dmqMzAAAA:8	a=tHvJy1wsfNMA:10 a=-9mUelKeXuEA:10
 a=IkcTkHD0fZMA:10 a=uRRa74qj2VoA:10	a=FGHLevJzAAAA:8 a=cH6R9-kdAAAA:8
 a=j4nzMFrpAAAA:8 a=j-6mtVX0gEMAJtGqzR4A:9	a=QEXdDO2ut3YA:10 a=3uS-zf6bZPwA:10
 a=qiWi7Edwir4A:10 a=NWVoK91CQyQA:10	a=ItKm1ugUVPYA:10
Message-id: <55C5F3B9.3060504@christopherschultz.net>
Date: Sat, 08 Aug 2015 08:19:05 -0400
From: Christopher Schultz <chris@christopherschultz.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0)
 Gecko/20100101 Thunderbird/31.7.0
MIME-version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: FIPS compliancy on Tomcat 7.00.062
References: 
 <CAPXTCH8Zjh+ObOY0oMT+T4e8946iEseGzH6ucoP52oLX-r24PQ@mail.gmail.com>
	<55C080BC.1070000@apache.org>
	<CAPXTCH_T2YS7BX2+1SQQ8t3dD=+tq8CJwWSR6YKqphgw9OVq9Q@mail.gmail.com>
	<55C0B491.8050605@apache.org>
	<CAPXTCH_kAAb52kR0-8VwvcGEBCbfLUV8o+jgF+wUTMd2gPHFCQ@mail.gmail.com>
	<CAPXTCH_YEdVB-Zh-O5zUJKhZ9g4b2rHJw2He2TDQhPy9HY6tqg@mail.gmail.com>
	<55C1CCF4.3050906@apache.org>
	<CAPXTCH8DAMi1YCLtG1NKGVw-ArefiChEmpcBGUO1reNKQuqVAg@mail.gmail.com>
	<CABUMjvB3c1aRL3wgeZc=ubmfXwgM7ojdFuao=MQdbay01Adn2w@mail.gmail.com>
 <CAPXTCH8Mekp2Nyrvjwwya2kVKeoURspBi4g9o1osogzC4J6xHQ@mail.gmail.com>
In-reply-to: 
 <CAPXTCH8Mekp2Nyrvjwwya2kVKeoURspBi4g9o1osogzC4J6xHQ@mail.gmail.com>
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Nikitha,

On 8/5/15 6:52 AM, Nikitha Benny wrote:
> Thank you for your valuable suggestion.
> 
> I just ran the openssl s_client scan, and it looks like the server
> side is running fine on *TLSv1.2* Protocol.
> 
> [root]## *openssl s_client -connect 16.183.93.84:8444 
> <http://16.183.93.84:8444>* CONNECTED(00000003) - - -  - -  - - - -
> -  - -  - - - - -  - -  - - - - -  - -  - -
> 
> 9ICKPG6kxtrZMUUnb/RgYH0FEqAWxvAbj08ZtJXHoGyRAmFcLKUtQBw8wifqXjYP 
> dok1aLR6ZwG+iD+urs1SLFyUmENSywwZtrKpgorQR+LRtC77E3gyNSmJP+i02SpC 
> Dwt/kR6w4FmSD+k3+RJik2+SabfTbE1F2Iho/XLFyU0SwKEhi54pdYohuuEfFwnU 
> d/A4 -----END CERTIFICATE----- subject=/C=US/ST=California/L=Palo
> Alto/O=Hewlett-Packard/OU=OpenView/CN= 
> IWFVM01284.hpswlabs.adapps.hp.com issuer=/C=US/ST=California/L=Palo
> Alto/O=Hewlett-Packard/OU=OpenView/CN= 
> IWFVM01284.hpswlabs.adapps.hp.com --- No client certificate CA
> names sent --- SSL handshake has read 1476 bytes and written 7
> bytes --- New, (NONE), Cipher is (NONE) Server public key is 2048
> bit Secure Renegotiation IS supported Compression: NONE Expansion:
> NONE SSL-Session: Protocol  : *TLSv1.2* Cipher    : 0000 
> Session-ID: 
> 55C1E8659A3AEABEA2844E153BB8BF666936B6EC38C5777B60202AF0712E5377 
> Session-ID-ctx: Master-Key: Key-Arg   : None Krb5 Principal: None 
> PSK identity: None PSK identity hint: None Start Time: 1438771286 
> Timeout   : 300 (sec) Verify return code: 18 (self signed
> certificate)
> 
> So could it be an issue with the browser? Since the browser is not
> FIPS compliant, could it be the reason for the issue?

FIPS compliance is really nothing more than using a certified set of
ciphers, and having the crypto module self-verify when it initializes
to ensure that it has not been tampered with.

So a FIPS-certified stack connecting to a non-FIPS-certified stack is
no difference than FIPS-to-FIPS or FIPSless-to-FIPS-less. It will work
whether FIPS compliance is met on either side of the connection or not.

IIRC (I haven't read the requirements recently), every truly
FIPS-compliant environment is currently vulnerable because FIPS
requires the support of known vulnerable protocols such as SSL3 as
well as a few required ciphers that were intentionally weakened by the
NSA.

If you want to be FIPS-compliant, I suggest that you be "nominally"
FIPS compliant and disable all of the bad stuff FIPS requires, yet
adhere to the rest of the requirements.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVxfO5AAoJEBzwKT+lPKRYzTEP/iw+wygF9J/Jn4Zi/0793Npu
bWdyWJoIrArjZ1d0qcnOsyQ4r4l94DU0MGHDeVijTk4iGhQyCnx5I9jT9qGpuQj6
DuC3VCBOkxceEJ1DLdtHkeQ/njkk4hdwnGarQ6Mt4MPhNee5zX3PFhC+vR9VTzBE
3nCcTKENciH4s5niJ+cA2i5EctLdOedyrVDRIaUuM7WDt0jDcRlAjUsBdwF1yf1M
hY+hSIQzaLgMP79cXGrA3G5GC5U1MGesJR0gwjJdS/xpziP97XbcDrL6IVPbTWJ2
TrgNqyHsOvLXvPh3qOG5rdO2NDOS4SkCktWfX9nAV1pb4Jpc6hRS4o58tPkXHgsp
d1/4/NxvxiFIa5zGUHgckBQQa/55x5+aa2LPUcVVBW4UPOjaxHRrDjaFGYhFB1Z9
isVRVHqY+cQZBn8agGfiTLduRnvE8+7vMCP/2GmXHdepLmWKbhoJ7AsBDMB6dwWT
/BgS7fEa29GHmcV1R4UMkCpiBbO9J6XAVAdLohXZ8o62E4Fxu2U3uDZumPPBOqUU
mi0s5SYVXlPfoj7/tuudm7Z9vgk4OW9SAHoUvPNpMP8pY32WkgWVADGMntykdPRs
csZhL+9jl9yaSEePFxXv89wHb/KxbP0H3C3kUu/nXRAkrcIbd+bFP99M2Nc7dPm7
fw5lT3gPUmkN1fKjVsV6
=DbB8
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org