Thanks for the info. , Josh.
> -----Original Message----- > From: William A. Rowe, Jr. [mailto:[EMAIL PROTECTED] > Sent: Thursday, August 11, 2005 6:44 PM > To: dev@httpd.apache.org > Cc: dev@httpd.apache.org > Subject: Re: Apache2 FIPS Certified? > > > Plenty. First, OpenSSL is -not- FIPS certified. It's in > the certification under test (CUT) phase, and no word of > exactly what will come of that phase. Second, you would have > to enable OpenSSL's fips-only mode, and stop using all > prohibited entropy, hashing and crypto. > > The http project has a little side-repository Ben and I have > been working on which will throw these flags appropriately, > and replace some components of httpd and apr. I'd point you > at it, but the caveat remains that you still won't have any > fips web server after all your effort. Not until OpenSSL has > completed the process. > > FWIW, any designation of "FIPS certification pending" happens > to be expressly prohibited by the FIPS requirements > themselves, so it's not possible to proactively provide a > solution with any claims whatsoever. > > Ben and I started this sandbox as a proof of concept to > determine what needed to change in apr, httpd, etc, and it's > very likely that those features will become part of httpd > after the certification process is complete. If you want to > take a look at our unreleased efforts, that repository is in > > http://svn.apache.org/repos/asf/httpd/httpd/branches/fips-dev/ > > Bill > > At 03:59 PM 8/11/2005, Fenlason, Josh wrote: > >Would anyone be able to tell me if Apache2 is FIPS certified? If I > >build OpenSSL with the FIPS flag, is there anything else I > have to do > >when building Apache with OpenSSL? Thanks. , Josh. > >
