Jason Jones wrote: > Can I ask what the status is on utilizing OpenSSL's FIPS mode with > mod_ssl?
No news from me yet - I've just finished helping migrate mod_ftp out of incubation into httpd project, and have one more critical patch to bring it into the 21.1'nd century (EPSV/EPRT implementations). And I had also just finished the non-ASF release of current mod_aspdotnet code, removing the final nail from that coffin. Ben and I started this, Ben committed the original code around the planned design of openssl/fips 1.0.0. From the actual 1.0.0 release through today, that design evolved. In the meantime, I have a whole lot of private hackery in my trees based on commercial FIPS support, which I'll re-port and bring out during March. Then the list is likely to debate the wisdom of supporting MD5 (a dis-approved hash) throughout the code. Perhaps even revist where SHA1's eventual demise (2009?) should be preemptively replaced by SHA2 strength hashes. It took several years for openssl to get where it is, I hope it isn't years for us to rigorously follow the Security Policy, but it's not an overnight sort of thing. Bill
