Re: How to build Apache with FIPS mode capable?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks Christopher.

Yes I do have some regulatory requirement to use FIPS and I have built the FIPS capable OpenSSL lib.
I tried to add the "SSLFIPS on" parameter to the httpd.conf config file as suggested in the ssl_mod manual page, but the httpd failed to start with errors which seemed to due to the fact that my apache server was not compiled against an SSL library which support the FIPS_mode flag.

I need helps with guidance of how to compile apache server with FIPS capable OpenSSL lib so that the Apache server can be operating under the OpenSSL FIPS mode.

Thanks.

On Tue, Feb 9, 2016 at 5:49 AM, Christopher Schultz <chris@xxxxxxxxxxxxxxxxxxxxxx> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rich,

On 2/8/16 3:25 PM, cloud force wrote:
> Hi All:
>
> From the mod_ssl doc, it mentioned: "If httpd was compiled against
> an SSL library which did not support the FIPS_mode flag, |SSLFIPS
> on| will fail."
>
> How do I compile apache (version 2.2) with FIPS capable OpenSSL
> library?

It's not Apache httpd that needs to be compiled for FIPS, it's
OpenSSL. So if you have a FIPS-capable OpenSSL library, you should be
okay.

Building a FIPS-capable OpenSSL is possible, but requires some steps
on top of the usual OpenSSL build process:

http://openssl.org/docs/fips.html

Unless you have some regulatory requirement to use FIPS, I wouldn't
bother with the whole mess. FIPS does two things: (1) validates the
library on startup to ensure it hasn't been tampered with (which I
suppose is good) and (2) mandates a specific set of hashes, ciphers,
etc. (bad). The reason #2 is bad is because the set of ciphers
required by FIPS includes known weak ciphers, and probably also
contains unknown weak ciphers, too.

AFAICR, FIPS also will not allow you to use additional ciphers on top
of the FIPS requirements, so you aren't allowed to use the latest and
greatest ciphers recommended by security experts.

(Finally, it's unclear whether or not it's actually possible to
produce a FIPS-compliant implementation *at all*, so the whole thing
is a farce, anyway.)

So, unless you have a specific and unyielding requirement to use a
FIPS-compliant library, save your time and just configure your
non-FIPS-compliant server in a sane way and you'll be fine.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla57nUACgkQ9CaO5/Lv0PAyTwCeLBOwi8VV9W5vngMc01ae62vC
O6wAnjglbjMq8S3+ZEyU1jch6wH4d7HW
=NJnj
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux