Plenty. First, OpenSSL is -not- FIPS certified. It's in the certification under test (CUT) phase, and no word of exactly what will come of that phase. Second, you would have to enable OpenSSL's fips-only mode, and stop using all prohibited entropy, hashing and crypto.
The http project has a little side-repository Ben and I have been working on which will throw these flags appropriately, and replace some components of httpd and apr. I'd point you at it, but the caveat remains that you still won't have any fips web server after all your effort. Not until OpenSSL has completed the process. FWIW, any designation of "FIPS certification pending" happens to be expressly prohibited by the FIPS requirements themselves, so it's not possible to proactively provide a solution with any claims whatsoever. Ben and I started this sandbox as a proof of concept to determine what needed to change in apr, httpd, etc, and it's very likely that those features will become part of httpd after the certification process is complete. If you want to take a look at our unreleased efforts, that repository is in http://svn.apache.org/repos/asf/httpd/httpd/branches/fips-dev/ Bill At 03:59 PM 8/11/2005, Fenlason, Josh wrote: >Would anyone be able to tell me if Apache2 is FIPS certified? If I build >OpenSSL with the FIPS flag, is there anything else I have to do when building >Apache with OpenSSL? Thanks. >, >Josh.
