On Jan 12, 2008 10:08 AM, Jeff McAdams <jeffm@xxxxxxxxx> wrote: > Victor Trac wrote: > > On Jan 12, 2008 3:34 PM, robingandhi21 <robingandhi21@xxxxxxxxx> wrote: > >> Please let me know if anybody have any idea of Apache2.2 being FIPS > >> compliant? > > > FIPS deals with encryption standards, not http service. Certain > > versions of OpenSSL are FIPS compliant, so as long as you use a > > certified version of OpenSSL in Apache, I suppose you are compliant. > > That's not completely true. > > There is some requirement that the apps that use the cryptographic > modules use them in "the right way". So its not just a matter of > slapping a certified OpenSSL in there. Alas, I don't know specifics of > what "the right way" consists of...the office of our security-focused > guy that really knows this stuff shares a wall with mine, but its not > me, so I'm not up on all the specifics. There were people working on a certified Apache httpd + OpenSSL. I'm not sure what the result was, but searching the archives of the dev@xxxxxxxxxxxxxxxx list for FIPS will surely turn up something useful. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|