Re: Apache2 FIPS Certified?
Thanks for the information, Bill. As best I could tell it looks like the OpenSSL folk have not gotten around to bringing the fips mode forward into 0.9.8 yet either... -- Jess Holle William A. Rowe, Jr. wrote: Plenty. First, OpenSSL is -not- FIPS certified. It's in the certification under test (CUT) phase, and no word of exactly what will come of that phase. Second, you would have to enable OpenSSL's fips-only mode, and stop using all prohibited entropy, hashing and crypto. The http project has a little side-repository Ben and I have been working on which will throw these flags appropriately, and replace some components of httpd and apr. I'd point you at it, but the caveat remains that you still won't have any fips web server after all your effort. Not until OpenSSL has completed the process. FWIW, any designation of "FIPS certification pending" happens to be expressly prohibited by the FIPS requirements themselves, so it's not possible to proactively provide a solution with any claims whatsoever. Ben and I started this sandbox as a proof of concept to determine what needed to change in apr, httpd, etc, and it's very likely that those features will become part of httpd after the certification process is complete. If you want to take a look at our unreleased efforts, that repository is in http://svn.apache.org/repos/asf/httpd/httpd/branches/fips-dev/ Bill At 03:59 PM 8/11/2005, Fenlason, Josh wrote: Would anyone be able to tell me if Apache2 is FIPS certified? If I build OpenSSL with the FIPS flag, is there anything else I have to do when building Apache with OpenSSL? Thanks. , Josh.
RE: Apache2 FIPS Certified?
Thanks for the info. , Josh. -Original Message- From: William A. Rowe, Jr. [mailto:[EMAIL PROTECTED] Sent: Thursday, August 11, 2005 6:44 PM To: dev@httpd.apache.org Cc: dev@httpd.apache.org Subject: Re: Apache2 FIPS Certified? Plenty. First, OpenSSL is -not- FIPS certified. It's in the certification under test (CUT) phase, and no word of exactly what will come of that phase. Second, you would have to enable OpenSSL's fips-only mode, and stop using all prohibited entropy, hashing and crypto. The http project has a little side-repository Ben and I have been working on which will throw these flags appropriately, and replace some components of httpd and apr. I'd point you at it, but the caveat remains that you still won't have any fips web server after all your effort. Not until OpenSSL has completed the process. FWIW, any designation of FIPS certification pending happens to be expressly prohibited by the FIPS requirements themselves, so it's not possible to proactively provide a solution with any claims whatsoever. Ben and I started this sandbox as a proof of concept to determine what needed to change in apr, httpd, etc, and it's very likely that those features will become part of httpd after the certification process is complete. If you want to take a look at our unreleased efforts, that repository is in http://svn.apache.org/repos/asf/httpd/httpd/branches/fips-dev/ Bill At 03:59 PM 8/11/2005, Fenlason, Josh wrote: Would anyone be able to tell me if Apache2 is FIPS certified? If I build OpenSSL with the FIPS flag, is there anything else I have to do when building Apache with OpenSSL? Thanks. , Josh.
Re: Apache2 FIPS Certified?
At 08:12 AM 8/12/2005, Jess Holle wrote: Thanks for the information, Bill. As best I could tell it looks like the OpenSSL folk have not gotten around to bringing the fips mode forward into 0.9.8 yet either... That's not as likely to happen on any particular schedule, and would be a pointless exercise until the implementation under test passes muster. Who knows, certain parts may be sent back to the OpenSSL project for complete rework. Why port what may be a moving target? You have to understand that FIPS testing is an expensive, time consuming, cyclic process. The crypto code was *FROZEN* at a specific point in time. There is a certain threshold for allowable fixes before the module must be re-certified, but you won't be seeing many rapid releases of crypto code changes, as is the general course for OpenSSL project development. http://oss-institute.org/index.php?option=contenttask=viewid=109 is the current news, such as it is. Bill
Re: Apache2 FIPS Certified?
Plenty. First, OpenSSL is -not- FIPS certified. It's in the certification under test (CUT) phase, and no word of exactly what will come of that phase. Second, you would have to enable OpenSSL's fips-only mode, and stop using all prohibited entropy, hashing and crypto. The http project has a little side-repository Ben and I have been working on which will throw these flags appropriately, and replace some components of httpd and apr. I'd point you at it, but the caveat remains that you still won't have any fips web server after all your effort. Not until OpenSSL has completed the process. FWIW, any designation of FIPS certification pending happens to be expressly prohibited by the FIPS requirements themselves, so it's not possible to proactively provide a solution with any claims whatsoever. Ben and I started this sandbox as a proof of concept to determine what needed to change in apr, httpd, etc, and it's very likely that those features will become part of httpd after the certification process is complete. If you want to take a look at our unreleased efforts, that repository is in http://svn.apache.org/repos/asf/httpd/httpd/branches/fips-dev/ Bill At 03:59 PM 8/11/2005, Fenlason, Josh wrote: Would anyone be able to tell me if Apache2 is FIPS certified? If I build OpenSSL with the FIPS flag, is there anything else I have to do when building Apache with OpenSSL? Thanks. , Josh.