On Tue, Mar 2, 2010 at 2:39 PM, Mike Trent <Michael.Trent@xxxxxxxxx> wrote: > There is a patch that turns on FIPS mode in mod_ssl (listed in my last post) > We can run apache as a server for HTTPS (SSL) in FIPS mode. However when > communicating over HTTPS (SSL) via mod_proxy - mod_ssl is not running FIPS > mode. This can be verified by running a line trace and seeing that the TLS > handshaking client HELLO packet presents a cipher suite that includes non > FIPS compliant algorithms (RC4 for example). > > While running in server mode (not using mod_proxy) FIPS is enabled properly. > This can be seen in the TLS server HELLO which presents only FIPS compliant > algorithms such as 3DES. > > i.e. > SSL - as a server -FIPS compliant I would love to help you, but I need more information from you in order to do so. I have trouble finding out what it is exactly that you are trying to achieve, and in what way, because the context fail. Precise language us usefull. I have trouble trying to imagine what you mean with "running in proxy mode" and "via mod_proxy". That is where the exact language of a config file helps. So please, just post us the SSL part of your config, and we may be able to point out to you what you need to modify. > SSL - as a client via mod_proxy - not FIPS compliant Are you saying that apache is here acting as an SSL client in an non - FIPS compliant way? ie. apache is here used by you as a proxy that forwards towards an https server? In that case have a look at the SSLProxy* directives. Krist -- krist.vanbesien@xxxxxxxxx krist@xxxxxxxxxxxxx Bremgarten b. Bern, Switzerland -- A: It reverses the normal flow of conversation. Q: What's wrong with top-posting? A: Top-posting. Q: What's the biggest scourge on plain text email discussions? --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx