Unfortunatley restricting the algorithms to FIPS compliant algorithms in the apache configs is not good enough to claim FIPS 140-2 compliance. The openSSL library 'must' be running in FIPS mode. It is a requirement of FIPS 140-2 that the module doing the cryptographic functions is a FIPS 'validated' module. When in FIPS mode SSL will automatically restrict the algorithms. Perhaps I need to post this on the openSSL forum instead. Thanks again. Krist van Besien wrote: > > > Of course it could be that when operating as a client Apache assumes > that it is the server it communicates with that will enforce FIPS > compliance. However, you can probably make it compliant by restricting > the cyphers it will use as a client. That is why I suggested you look > in to the possibilitiess the SSLProxy* directives offer. If you > consult the mod_ssl documentation you will see that there is a > directive SSLProxyCipherSuite, that you can use to limit the ciphers > offered in the HELLO packet. > > > Krist > > -- > krist.vanbesien@xxxxxxxxx > krist@xxxxxxxxxxxxx > Bremgarten b. Bern, Switzerland > -- > -- View this message in context: http://old.nabble.com/FIPS-140_2-compliant-for-mod_proxy--tp27748496p27768938.html Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|