Re: FIPS 140_2 compliant for mod_proxy?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Mar 2, 2010 at 2:39 PM, Mike Trent <Michael.Trent@xxxxxxxxx> wrote:

> There is a patch that turns on FIPS mode in mod_ssl (listed in my last post)
> We can run apache as a server for HTTPS (SSL) in FIPS mode. However when
> communicating over HTTPS (SSL) via mod_proxy - mod_ssl is not running FIPS
> mode. This can be verified by running a line trace and seeing that the TLS
> handshaking client HELLO packet presents a cipher suite that includes non
> FIPS compliant algorithms (RC4 for example).
>
> While running in server mode (not using mod_proxy) FIPS is enabled properly.
> This can be seen in the TLS server HELLO which presents only FIPS compliant
> algorithms such as 3DES.
>
> i.e.
> SSL - as a server -FIPS compliant

I would love to help you, but I need more information from you in
order to do so. I have trouble finding out what it is exactly that you
are trying to achieve, and in what way, because the context fail.
Precise language us usefull. I have trouble trying to imagine what you
mean with "running in proxy mode" and "via mod_proxy". That is where
the exact language of a config file helps.
So please, just post us the SSL part of your config, and we may be
able to point out to you what you need to modify.

> SSL - as a client via mod_proxy - not FIPS compliant

Are you saying that apache is here acting as an SSL client in an non -
FIPS compliant way? ie. apache is here used by you as a proxy that
forwards towards an https server? In that case have a look at the
SSLProxy* directives.

Krist

-- 
krist.vanbesien@xxxxxxxxx
krist@xxxxxxxxxxxxx
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux