RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?
Thank you George for letting us know on -Dorg.bouncycastle.rsa.allow_multi_use=true" JVM option. Will explore this further and update the document (https://github.com/amitlpande/tomcat-9-fips/blob/master/README.md) appropriately. Albeit reluctantly, we have given in to use BCFIPS (over PKCS12) for our key stores as it is the only format meeting our FIPS requirements. Thanks, Amit -Original Message- From: George Stanchev Sent: Saturday, December 5, 2020 11:17 AM To: Tomcat Users List Subject: RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL? Chris -Original Message- From: Christopher Schultz Sent: Friday, December 04, 2020 1:20 PM To: users@tomcat.apache.org Subject: Re: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL? > With the pluggability of Java's crypto interface, I seriously doubt > Oracle is going to certify a JCE module in the future, esp. with free > 3rd party solutions such as BCFIPS. Is BC actually certified? It seems unlikely to me that a group of volunteers from Australia are going to bother to go through that module-certification process. GS: While the project is open sourced they had a company (Crypto Workshop) that earned a living through paid support and consulting. They were recently acquired (https://www.prnewswire.com/news-releases/primekey-acquires-crypto-workshop-300988188.html). And yes they are certified (https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/2768) and currently working on the next certification, expected out next year. > I found it non-trivial and the toolsets to be very specific, and even > after following all instructions from several wikis and web pages I > kept running into issues resulting in overall failure. Yes, the build process for OpenSSL is horrible. I have no idea why they decided to use Perl as their build system. On Windows? I have only tried to build the OpenSSL binary, not the FIPS-compliant module. Having done it on Linux (where it's "easy") I can say I'm glad I'm not responsible for doing it on Windows. GS: Sadly, OpenSSL and the FIPS module built just fine. I forgot the details but it was the ARP or the tcnative itself that failed me. There is also a bug in OpenSSL or tomcat's glue code that if cacerts contain more than a certain number of certificates to fail the handshake with timeout (http://tomcat.10.x6.nabble.com/Client-Cert-TLS-issue-td5090609.html) > Also, keep in mind that OpenSSL 1.0.1 is EOLed and the FIPS module is > only available for that version line. OpenSSL still produces security > fixes to paid support subscribers (we are) but they are not available > for the general public. OpenSSL 3.0 will have a refreshed re-certified > FIPS module but it is not due until later next year, so for now > general public is left hanging with the last public version of > 1.0.1+FIPS. :( This is why we can't have nice things. > The workaround could be to use a different password based key > derivation function - PBKDF2. However, there is nothing in the PKCS12 > spec that allows to encode another algorithm OID in MacData. In > essence, you cannot use any other algorithm other than the one defined > in spec which is not FIPS compliant. And something which is ironically FIPS-compliant is to use a PEM file with no protection whatsoever. GS: Well, the keys in the PEM files are still encrypted but you're right no protection of the overall container like in BCFKS or PKCS12 George B CB [ X ܚX KK[XZ[ \ \ ][ X ܚX P X ] \X K ܙ B ܈Y][ۘ[ [X[ K[XZ[ \ \ Z[ X ] \X K ܙ B - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?
Chris -Original Message- From: Christopher Schultz Sent: Friday, December 04, 2020 1:20 PM To: users@tomcat.apache.org Subject: Re: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL? > With the pluggability of Java's crypto interface, I seriously doubt > Oracle is going to certify a JCE module in the future, esp. with free > 3rd party solutions such as BCFIPS. Is BC actually certified? It seems unlikely to me that a group of volunteers from Australia are going to bother to go through that module-certification process. GS: While the project is open sourced they had a company (Crypto Workshop) that earned a living through paid support and consulting. They were recently acquired (https://www.prnewswire.com/news-releases/primekey-acquires-crypto-workshop-300988188.html). And yes they are certified (https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/2768) and currently working on the next certification, expected out next year. > I found it non-trivial and the toolsets to be very specific, and even > after following all instructions from several wikis and web pages I > kept running into issues resulting in overall failure. Yes, the build process for OpenSSL is horrible. I have no idea why they decided to use Perl as their build system. On Windows? I have only tried to build the OpenSSL binary, not the FIPS-compliant module. Having done it on Linux (where it's "easy") I can say I'm glad I'm not responsible for doing it on Windows. GS: Sadly, OpenSSL and the FIPS module built just fine. I forgot the details but it was the ARP or the tcnative itself that failed me. There is also a bug in OpenSSL or tomcat's glue code that if cacerts contain more than a certain number of certificates to fail the handshake with timeout (http://tomcat.10.x6.nabble.com/Client-Cert-TLS-issue-td5090609.html) > Also, keep in mind that OpenSSL 1.0.1 is EOLed and the FIPS module is > only available for that version line. OpenSSL still produces security > fixes to paid support subscribers (we are) but they are not available > for the general public. OpenSSL 3.0 will have a refreshed re-certified > FIPS module but it is not due until later next year, so for now > general public is left hanging with the last public version of > 1.0.1+FIPS. :( This is why we can't have nice things. > The workaround could be to use a different password based key > derivation function - PBKDF2. However, there is nothing in the PKCS12 > spec that allows to encode another algorithm OID in MacData. In > essence, you cannot use any other algorithm other than the one defined > in spec which is not FIPS compliant. And something which is ironically FIPS-compliant is to use a PEM file with no protection whatsoever. GS: Well, the keys in the PEM files are still encrypted but you're right no protection of the overall container like in BCFKS or PKCS12 George
Re: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?
George, On 12/4/20 14:22, George Stanchev wrote: -Original Message- From: Christopher Schultz Sent: Friday, December 04, 2020 10:58 AM To: users@tomcat.apache.org Subject: Re: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL? George, On 12/3/20 21:59, George Stanchev wrote: Java's FIPS mode is "expirmental" feature that was removed in later Java versions. It was never certified (AFAIK). I've always found conflicting information about whether or not Java's crypto module was FIPS-certified or not. Sun/Oracle have documentation which suggests that, at least under some configurations, it IS certified, but there is precious little information about it. I suspect you can pay Oracle to give you the magic that makes it certified. I've never cared enough about it to actually try to find it out. I find FIPS to be a useless requirement that doesn't add any security beyond what usual best-practices would give you. But I don't do work in intelligence or military applications, so I'm allowed to thumb my nose at such things. GS: IBM's JCE is FIPS-certified but not Oracle's. Also, we should make a distinction between "certified" and "compliant". Yes, thanks for pointing that out. Certification is obtained by a long and laborious process by NIST. Compliancy is mainly self reporting. Look here https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8217911 for Oracle removing the "compliant" mode in Java 13. If you read through the task, you will see it states "Legacy applications might have used the experimental mode...". Me and you can have our opinions about FIPS, but the reality is that if you want to sell to government entities (and even some commercial entities) you really need FIPS support in your product. Sadly, yes. With the pluggability of Java's crypto interface, I seriously doubt Oracle is going to certify a JCE module in the future, esp. with free 3rd party solutions such as BCFIPS. Is BC actually certified? It seems unlikely to me that a group of volunteers from Australia are going to bother to go through that module-certification process. To me the only two viable options are via APR+OpenSSL 1.0.1/FIPS and BCFIPS. NIO+JSSE/OpenSSL ought to be okay, theoretically. The "AprLifecycleListener" is a misnomer; it really should be the "TcnativeLivecycleListener". You can use it to configure OpenSSL into FIPS mode and still use NIO+OpenSSL as your connector. > > GS: You are right, I might have misspoken by saying "APR". What I really meant is you need to have OpenSSL as in tcnative. The problem I faced back in the days was that the prebuilt binaries come with regular, non-FIPS OpenSSL and despite my long efforts I was never able to build it successfully and fully on Windows x64. Oh. You're on Windows. You're right, that will suck. The binaries packaged by ASF are definitely not going to be FIPS-certified. You'll have to build your own and then dynamically-link it to tcnative during the build. I found it non-trivial and the toolsets to be very specific, and even after following all instructions from several wikis and web pages I kept running into issues resulting in overall failure. Yes, the build process for OpenSSL is horrible. I have no idea why they decided to use Perl as their build system. On Windows? I have only tried to build the OpenSSL binary, not the FIPS-compliant module. Having done it on Linux (where it's "easy") I can say I'm glad I'm not responsible for doing it on Windows. Also, keep in mind that OpenSSL 1.0.1 is EOLed and the FIPS module is only available for that version line. OpenSSL still produces security fixes to paid support subscribers (we are) but they are not available for the general public. OpenSSL 3.0 will have a refreshed re-certified FIPS module but it is not due until later next year, so for now general public is left hanging with the last public version of 1.0.1+FIPS. :( This is why we can't have nice things. We have implemented the later and have ran into issues with RSA keys. First the C# BCPROV doesn't support 4096 bit RSA keys What? It's like the most popular configuration in the world right now. I know you can read more about it here: https://github.com/bcgit/bc-java/issues/616 See... this is why I say that FIPS is sometimes bad: they specifically disallow large keys. And that's ... more secure? *Sigh* (I know weird, but our config app is C# and we use BCFIPS/C# there) but that's OK, you can use Windows CNG or CAPI but of course you have to put the whole Windows in FIPS which is not prarctical all the time. > But second, and most important BCFIPS implements stricter FIPS requirement that an RSA key cannot be used for both encipherment and signature and BCFIPS really tracks the usage. That's appropriate, actually. What's the problem, there? GS: See my next comment with a link to technical exp
RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?
-Original Message- From: Christopher Schultz Sent: Friday, December 04, 2020 10:58 AM To: users@tomcat.apache.org Subject: Re: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL? George, On 12/3/20 21:59, George Stanchev wrote: > Java's FIPS mode is "expirmental" feature that was removed in later > Java versions. It was never certified (AFAIK). I've always found conflicting information about whether or not Java's crypto module was FIPS-certified or not. Sun/Oracle have documentation which suggests that, at least under some configurations, it IS certified, but there is precious little information about it. I suspect you can pay Oracle to give you the magic that makes it certified. I've never cared enough about it to actually try to find it out. I find FIPS to be a useless requirement that doesn't add any security beyond what usual best-practices would give you. But I don't do work in intelligence or military applications, so I'm allowed to thumb my nose at such things. GS: IBM's JCE is FIPS-certified but not Oracle's. Also, we should make a distinction between "certified" and "compliant". Certification is obtained by a long and laborious process by NIST. Compliancy is mainly self reporting. Look here https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8217911 for Oracle removing the "compliant" mode in Java 13. If you read through the task, you will see it states "Legacy applications might have used the experimental mode...". Me and you can have our opinions about FIPS, but the reality is that if you want to sell to government entities (and even some commercial entities) you really need FIPS support in your product. With the pluggability of Java's crypto interface, I seriously doubt Oracle is going to certify a JCE module in the future, esp. with free 3rd party solutions such as BCFIPS. > To me the only two viable options are via APR+OpenSSL 1.0.1/FIPS and BCFIPS. NIO+JSSE/OpenSSL ought to be okay, theoretically. The "AprLifecycleListener" is a misnomer; it really should be the "TcnativeLivecycleListener". You can use it to configure OpenSSL into FIPS mode and still use NIO+OpenSSL as your connector. GS: You are right, I might have misspoken by saying "APR". What I really meant is you need to have OpenSSL as in tcnative. The problem I faced back in the days was that the prebuilt binaries come with regular, non-FIPS OpenSSL and despite my long efforts I was never able to build it successfully and fully on Windows x64. I found it non-trivial and the toolsets to be very specific, and even after following all instructions from several wikis and web pages I kept running into issues resulting in overall failure. Also, keep in mind that OpenSSL 1.0.1 is EOLed and the FIPS module is only available for that version line. OpenSSL still produces security fixes to paid support subscribers (we are) but they are not available for the general public. OpenSSL 3.0 will have a refreshed re-certified FIPS module but it is not due until later next year, so for now general public is left hanging with the last public version of 1.0.1+FIPS. > We have implemented the later and have ran into issues with RSA keys. > First the C# BCPROV doesn't support 4096 bit RSA keys What? It's like the most popular configuration in the world right now. I know you can read more about it here: https://github.com/bcgit/bc-java/issues/616 > (I know weird, but our config app is C# and we use BCFIPS/C# there) > but that's OK, you can use Windows CNG or CAPI but of course you have > to put the whole Windows in FIPS which is not prarctical all the time. > > > > But second, and most important BCFIPS implements stricter FIPS > requirement that an RSA key cannot be used for both encipherment and > signature and BCFIPS really tracks the usage. That's appropriate, actually. What's the problem, there? GS: See my next comment with a link to technical explanation > This, combined with the fact that Tomcat (8.5.someting about an year > ago) doesn't really support multiple keys for SSL that can be > dynamically selected really leaves you with only DSA key. I'm curious what version that is, because Tomcat will definitely select the appropriate certificate from a set of RSA/DSA/ECDSA-based certs. GS: http://mail-archives.apache.org/mod_mbox/tomcat-users/201911.mbox/%3caa01aac6-fa82-a100-3d37-26b3521cb...@apache.org%3E GS: I never had a time to formalize the patch, to submit a BZ and attach it, which is a shame. I should perhaps do this > Now, BC does support a system property to disable this FIPS > requirement but now you are not FIPS compliant, strictly speaking. Well... FIPS is all about strictness. You can certainly use the OpenSSL FIPS module without entering FIPS mode, but, well, then you aren't actually using the FIPS module,
Re: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?
George, On 12/3/20 21:59, George Stanchev wrote: Java's FIPS mode is "expirmental" feature that was removed in later Java versions. It was never certified (AFAIK). I've always found conflicting information about whether or not Java's crypto module was FIPS-certified or not. Sun/Oracle have documentation which suggests that, at least under some configurations, it IS certified, but there is precious little information about it. I suspect you can pay Oracle to give you the magic that makes it certified. I've never cared enough about it to actually try to find it out. I find FIPS to be a useless requirement that doesn't add any security beyond what usual best-practices would give you. But I don't do work in intelligence or military applications, so I'm allowed to thumb my nose at such things. To me the only two viable options are via APR+OpenSSL 1.0.1/FIPS and BCFIPS. NIO+JSSE/OpenSSL ought to be okay, theoretically. The "AprLifecycleListener" is a misnomer; it really should be the "TcnativeLivecycleListener". You can use it to configure OpenSSL into FIPS mode and still use NIO+OpenSSL as your connector. We have implemented the later and have ran into issues with RSA keys. First the C# BCPROV doesn't support 4096 bit RSA keys What? It's like the most popular configuration in the world right now. (I know weird, but our config app is C# and we use BCFIPS/C# there) but that's OK, you can use Windows CNG or CAPI but of course you have to put the whole Windows in FIPS which is not prarctical all the time. > > But second, and most important BCFIPS implements stricter FIPS requirement that an RSA key cannot be used for both encipherment and signature and BCFIPS really tracks the usage. That's appropriate, actually. What's the problem, there? This, combined with the fact that Tomcat (8.5.someting about an year ago) doesn't really support multiple keys for SSL that can be dynamically selected really leaves you with only DSA key. I'm curious what version that is, because Tomcat will definitely select the appropriate certificate from a set of RSA/DSA/ECDSA-based certs. Now, BC does support a system property to disable this FIPS requirement but now you are not FIPS compliant, strictly speaking. Well... FIPS is all about strictness. You can certainly use the OpenSSL FIPS module without entering FIPS mode, but, well, then you aren't actually using the FIPS module, then, are you. " Man: We have the most sophisticated door-locks money can buy! Woman: Who has access to the keys? Man: It's super secure! Nobody has access to the the keys because we never engage the locks! " Which, as FIPS-compliancy goes, might or might not be a problem as it is really a self-reporting. Also, no way to get PKCS12 keystores in FIPS mode so you're stuck with BCKFS or PEMs. I didn't realize tat PKCS12 doesn't work in FIPS mode. Why not? Thanks, -chris -Original Message- From: Amit Pande Sent: Tuesday, November 24, 2020 9:31 AM To: Tomcat Users List ; Avik Ray Subject: RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL? Avik, Did you happen to try out the steps in README https://github.com/amitlpande/tomcat-9-fips here? I am looking for feedback from the community before I could add these steps (and some more) on Tomcat Security FAQ page. So, really appreciate your (and others') feedback. The steps above rely purely on JSSE and JCA/JCE providers, no OpenSSL use. These steps will enable a plain vanilla Tomcat to run in FIPS compliant mode. And as Chris mentioned below, we need to ensure any web app deployed within the Tomcat use FIPS compliant constructs. Thanks, Amit -Original Message- From: Christopher Schultz Sent: Friday, November 6, 2020 3:40 PM To: Tomcat Users List ; Avik Ray Subject: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL? Avik, On 11/6/20 14:50, Avik Ray wrote: Thanks a lot Anil for the detailed readme, and Martin for pointing me to it. We have done most of these configs. Are these steps sufficient to ensure that all incoming and outgoing TLS connections are FIPS compliant? This isn't something that the Tomcat community can really comment on. If you have a requirement to be FIPS-compliant, then you will need to evaluate whether of not you have met that requirement yourself. Or is there also a need to compile an APR connector with an underlying implementation of openssl? You do not NEED to do this, but it is a possibility that will allow you to definitely put the crypto engine into "FIPS mode". Is the APR approach just an alternative to the JSSE approach covered in Anil's readme, and both hold equally good to be FIPS compliant? Theoretically, yes. It's also possible, I believe, to make The Sun/Oracle JSSE provider FIPS compliant. Hmm maybe not: https://stackoverflow.com/a/5047855/276232 (FYI Stephen Colebourne tends to know what h
RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?
You can add this to your guide and perhaps a little explanation: Add this to your JAVA_OPTS: -Dorg.bouncycastle.rsa.allow_multi_use=true Otherwise you're doomed to run into weird random and failures depending on what cipher suite your browser and server agree on which believe me, combined with the BCFIPS's atrocious logging levels can be quite hard to troubleshoot. But if you enable that...well technically you break out of FIPS compliance. The other option is to remove all RSA-based suites from your server's list so you don't run into the issue or always run with DSA keys George -Original Message- From: George Stanchev Sent: Thursday, December 03, 2020 7:59 PM To: Tomcat Users List ; Avik Ray Subject: RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL? Java's FIPS mode is "expirmental" feature that was removed in later Java versions. It was never certified (AFAIK). To me the only two viable options are via APR+OpenSSL 1.0.1/FIPS and BCFIPS. We have implemented the later and have ran into issues with RSA keys. First the C# BCPROV doesn't support 4096 bit RSA keys (I know weird, but our config app is C# and we use BCFIPS/C# there) but that's OK, you can use Windows CNG or CAPI but of course you have to put the whole Windows in FIPS which is not prarctical all the time. But second, and most important BCFIPS implements stricter FIPS requirement that an RSA key cannot be used for both encipherment and signature and BCFIPS really tracks the usage. This, combined with the fact that Tomcat (8.5.someting about an year ago) doesn't really support multiple keys for SSL that can be dynamically selected really leaves you with only DSA key. Now, BC does support a system property to disable this FIPS requirement but now you are not FIPS compliant, strictly speaking. Which, as FIPS-compliancy goes, might or might not be a problem as it is really a self-reporting. Also, no way to get PKCS12 keystores in FIPS mode so you're stuck with BCKFS or PEMs. George -Original Message- From: Amit Pande Sent: Tuesday, November 24, 2020 9:31 AM To: Tomcat Users List ; Avik Ray Subject: RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL? Avik, Did you happen to try out the steps in README https://github.com/amitlpande/tomcat-9-fips here? I am looking for feedback from the community before I could add these steps (and some more) on Tomcat Security FAQ page. So, really appreciate your (and others') feedback. The steps above rely purely on JSSE and JCA/JCE providers, no OpenSSL use. These steps will enable a plain vanilla Tomcat to run in FIPS compliant mode. And as Chris mentioned below, we need to ensure any web app deployed within the Tomcat use FIPS compliant constructs. Thanks, Amit -Original Message- From: Christopher Schultz Sent: Friday, November 6, 2020 3:40 PM To: Tomcat Users List ; Avik Ray Subject: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL? Avik, On 11/6/20 14:50, Avik Ray wrote: > Thanks a lot Anil for the detailed readme, and Martin for pointing me to it. > > We have done most of these configs. Are these steps sufficient to > ensure that all incoming and outgoing TLS connections are FIPS compliant? This isn't something that the Tomcat community can really comment on. If you have a requirement to be FIPS-compliant, then you will need to evaluate whether of not you have met that requirement yourself. > Or is there also a need to compile an APR connector with an underlying > implementation of openssl? You do not NEED to do this, but it is a possibility that will allow you to definitely put the crypto engine into "FIPS mode". > Is the APR approach just an alternative to the JSSE approach covered > in Anil's readme, and both hold equally good to be FIPS compliant? Theoretically, yes. It's also possible, I believe, to make The Sun/Oracle JSSE provider FIPS compliant. Hmm maybe not: https://stackoverflow.com/a/5047855/276232 (FYI Stephen Colebourne tends to know what he's talking about.) It's a little unclear to me whether or not this is possible, while OpenSSL has very good documentation for how to build a FIPS-compliant binary library and then put it in the right mode. How FIPS-compliant do you actually need to be? It's pretty trivial to make sure that you support certain algorithms, etc. and that you disable other ones. FIPS, however, technically requires that you enable certain algorithms that really should no longer be used. These days, strict FIPS compliance is IMHO a risk to be avoided. -chris > On Fri, 6 Nov, 2020, 12:51 Martin Grigorov, wrote: > >> Hi, >> >> On Fri, Nov 6, 2020 at 8:57 AM Avik Ray wrote: >> >>> Dear team, >>> Sending this query again after subscribing to the mailing list. Sent >>> it originally 3 days back, but just saw an error response in the >&g
RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?
You can add this to your guide and perhaps a little explanation: Add this to your JAVA_OPTS: -Dorg.bouncycastle.rsa.allow_multi_use=true Otherwise you're doomed to run into weird random and failures depending on what cipher suite your browser and server agree on which believe me, combined with the BCFIPS's atrocious logging levels can be quite hard to troubleshoot. But if you enable that...well technically you break out of FIPS compliance. The other option is to remove all RSA-based suites from your server's list so you don't run into the issue or always run with DSA keys George -Original Message- From: George Stanchev Sent: Thursday, December 03, 2020 7:59 PM To: Tomcat Users List ; Avik Ray Subject: RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL? Java's FIPS mode is "expirmental" feature that was removed in later Java versions. It was never certified (AFAIK). To me the only two viable options are via APR+OpenSSL 1.0.1/FIPS and BCFIPS. We have implemented the later and have ran into issues with RSA keys. First the C# BCPROV doesn't support 4096 bit RSA keys (I know weird, but our config app is C# and we use BCFIPS/C# there) but that's OK, you can use Windows CNG or CAPI but of course you have to put the whole Windows in FIPS which is not prarctical all the time. But second, and most important BCFIPS implements stricter FIPS requirement that an RSA key cannot be used for both encipherment and signature and BCFIPS really tracks the usage. This, combined with the fact that Tomcat (8.5.someting about an year ago) doesn't really support multiple keys for SSL that can be dynamically selected really leaves you with only DSA key. Now, BC does support a system property to disable this FIPS requirement but now you are not FIPS compliant, strictly speaking. Which, as FIPS-compliancy goes, might or might not be a problem as it is really a self-reporting. Also, no way to get PKCS12 keystores in FIPS mode so you're stuck with BCKFS or PEMs. George -Original Message- From: Amit Pande Sent: Tuesday, November 24, 2020 9:31 AM To: Tomcat Users List ; Avik Ray Subject: RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL? Avik, Did you happen to try out the steps in README https://github.com/amitlpande/tomcat-9-fips here? I am looking for feedback from the community before I could add these steps (and some more) on Tomcat Security FAQ page. So, really appreciate your (and others') feedback. The steps above rely purely on JSSE and JCA/JCE providers, no OpenSSL use. These steps will enable a plain vanilla Tomcat to run in FIPS compliant mode. And as Chris mentioned below, we need to ensure any web app deployed within the Tomcat use FIPS compliant constructs. Thanks, Amit -Original Message- From: Christopher Schultz Sent: Friday, November 6, 2020 3:40 PM To: Tomcat Users List ; Avik Ray Subject: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL? Avik, On 11/6/20 14:50, Avik Ray wrote: > Thanks a lot Anil for the detailed readme, and Martin for pointing me to it. > > We have done most of these configs. Are these steps sufficient to > ensure that all incoming and outgoing TLS connections are FIPS compliant? This isn't something that the Tomcat community can really comment on. If you have a requirement to be FIPS-compliant, then you will need to evaluate whether of not you have met that requirement yourself. > Or is there also a need to compile an APR connector with an underlying > implementation of openssl? You do not NEED to do this, but it is a possibility that will allow you to definitely put the crypto engine into "FIPS mode". > Is the APR approach just an alternative to the JSSE approach covered > in Anil's readme, and both hold equally good to be FIPS compliant? Theoretically, yes. It's also possible, I believe, to make The Sun/Oracle JSSE provider FIPS compliant. Hmm maybe not: https://stackoverflow.com/a/5047855/276232 (FYI Stephen Colebourne tends to know what he's talking about.) It's a little unclear to me whether or not this is possible, while OpenSSL has very good documentation for how to build a FIPS-compliant binary library and then put it in the right mode. How FIPS-compliant do you actually need to be? It's pretty trivial to make sure that you support certain algorithms, etc. and that you disable other ones. FIPS, however, technically requires that you enable certain algorithms that really should no longer be used. These days, strict FIPS compliance is IMHO a risk to be avoided. -chris > On Fri, 6 Nov, 2020, 12:51 Martin Grigorov, wrote: > >> Hi, >> >> On Fri, Nov 6, 2020 at 8:57 AM Avik Ray wrote: >> >>> Dear team, >>> Sending this query again after subscribing to the mailing list. Sent >>> it originally 3 days back, but just saw an error response in the >&g
RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?
Java's FIPS mode is "expirmental" feature that was removed in later Java versions. It was never certified (AFAIK). To me the only two viable options are via APR+OpenSSL 1.0.1/FIPS and BCFIPS. We have implemented the later and have ran into issues with RSA keys. First the C# BCPROV doesn't support 4096 bit RSA keys (I know weird, but our config app is C# and we use BCFIPS/C# there) but that's OK, you can use Windows CNG or CAPI but of course you have to put the whole Windows in FIPS which is not prarctical all the time. But second, and most important BCFIPS implements stricter FIPS requirement that an RSA key cannot be used for both encipherment and signature and BCFIPS really tracks the usage. This, combined with the fact that Tomcat (8.5.someting about an year ago) doesn't really support multiple keys for SSL that can be dynamically selected really leaves you with only DSA key. Now, BC does support a system property to disable this FIPS requirement but now you are not FIPS compliant, strictly speaking. Which, as FIPS-compliancy goes, might or might not be a problem as it is really a self-reporting. Also, no way to get PKCS12 keystores in FIPS mode so you're stuck with BCKFS or PEMs. George -Original Message- From: Amit Pande Sent: Tuesday, November 24, 2020 9:31 AM To: Tomcat Users List ; Avik Ray Subject: RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL? Avik, Did you happen to try out the steps in README https://github.com/amitlpande/tomcat-9-fips here? I am looking for feedback from the community before I could add these steps (and some more) on Tomcat Security FAQ page. So, really appreciate your (and others') feedback. The steps above rely purely on JSSE and JCA/JCE providers, no OpenSSL use. These steps will enable a plain vanilla Tomcat to run in FIPS compliant mode. And as Chris mentioned below, we need to ensure any web app deployed within the Tomcat use FIPS compliant constructs. Thanks, Amit -Original Message- From: Christopher Schultz Sent: Friday, November 6, 2020 3:40 PM To: Tomcat Users List ; Avik Ray Subject: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL? Avik, On 11/6/20 14:50, Avik Ray wrote: > Thanks a lot Anil for the detailed readme, and Martin for pointing me to it. > > We have done most of these configs. Are these steps sufficient to > ensure that all incoming and outgoing TLS connections are FIPS compliant? This isn't something that the Tomcat community can really comment on. If you have a requirement to be FIPS-compliant, then you will need to evaluate whether of not you have met that requirement yourself. > Or is there also a need to compile an APR connector with an underlying > implementation of openssl? You do not NEED to do this, but it is a possibility that will allow you to definitely put the crypto engine into "FIPS mode". > Is the APR approach just an alternative to the JSSE approach covered > in Anil's readme, and both hold equally good to be FIPS compliant? Theoretically, yes. It's also possible, I believe, to make The Sun/Oracle JSSE provider FIPS compliant. Hmm maybe not: https://stackoverflow.com/a/5047855/276232 (FYI Stephen Colebourne tends to know what he's talking about.) It's a little unclear to me whether or not this is possible, while OpenSSL has very good documentation for how to build a FIPS-compliant binary library and then put it in the right mode. How FIPS-compliant do you actually need to be? It's pretty trivial to make sure that you support certain algorithms, etc. and that you disable other ones. FIPS, however, technically requires that you enable certain algorithms that really should no longer be used. These days, strict FIPS compliance is IMHO a risk to be avoided. -chris > On Fri, 6 Nov, 2020, 12:51 Martin Grigorov, wrote: > >> Hi, >> >> On Fri, Nov 6, 2020 at 8:57 AM Avik Ray wrote: >> >>> Dear team, >>> Sending this query again after subscribing to the mailing list. Sent >>> it originally 3 days back, but just saw an error response in the >>> spam folder asking to subscribe first. >>> >>> We are using Tomcat 9.0.37 x64 on Windows Server 2016 OS and the NIO >>> connector with JSSE, without an underlying OpenSSL. >>> >>> As per Tomcat 9 docs, the only mention of FIPS compliant operation I >>> see is in the config of APR lifecycle listener, with the expectation >>> of an underlying OpenSSL implementation that can be set to FIPS >>> enabled mode. Ref: >>> https://tomcat.apache.org/tomcat-9.0-doc/config/listeners.html >>> >>> Is it possible to be FIPS compliant with the usage of Tomcat, >>> without the above setting? We were thinking of using BouncyCastle >>> FIPS as the underlying Java crypto provider ins
RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?
Avik, Did you happen to try out the steps in README https://github.com/amitlpande/tomcat-9-fips here? I am looking for feedback from the community before I could add these steps (and some more) on Tomcat Security FAQ page. So, really appreciate your (and others') feedback. The steps above rely purely on JSSE and JCA/JCE providers, no OpenSSL use. These steps will enable a plain vanilla Tomcat to run in FIPS compliant mode. And as Chris mentioned below, we need to ensure any web app deployed within the Tomcat use FIPS compliant constructs. Thanks, Amit -Original Message- From: Christopher Schultz Sent: Friday, November 6, 2020 3:40 PM To: Tomcat Users List ; Avik Ray Subject: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL? Avik, On 11/6/20 14:50, Avik Ray wrote: > Thanks a lot Anil for the detailed readme, and Martin for pointing me to it. > > We have done most of these configs. Are these steps sufficient to > ensure that all incoming and outgoing TLS connections are FIPS compliant? This isn't something that the Tomcat community can really comment on. If you have a requirement to be FIPS-compliant, then you will need to evaluate whether of not you have met that requirement yourself. > Or is there also a need to compile an APR connector with an underlying > implementation of openssl? You do not NEED to do this, but it is a possibility that will allow you to definitely put the crypto engine into "FIPS mode". > Is the APR approach just an alternative to the JSSE approach covered > in Anil's readme, and both hold equally good to be FIPS compliant? Theoretically, yes. It's also possible, I believe, to make The Sun/Oracle JSSE provider FIPS compliant. Hmm maybe not: https://stackoverflow.com/a/5047855/276232 (FYI Stephen Colebourne tends to know what he's talking about.) It's a little unclear to me whether or not this is possible, while OpenSSL has very good documentation for how to build a FIPS-compliant binary library and then put it in the right mode. How FIPS-compliant do you actually need to be? It's pretty trivial to make sure that you support certain algorithms, etc. and that you disable other ones. FIPS, however, technically requires that you enable certain algorithms that really should no longer be used. These days, strict FIPS compliance is IMHO a risk to be avoided. -chris > On Fri, 6 Nov, 2020, 12:51 Martin Grigorov, wrote: > >> Hi, >> >> On Fri, Nov 6, 2020 at 8:57 AM Avik Ray wrote: >> >>> Dear team, >>> Sending this query again after subscribing to the mailing list. Sent >>> it originally 3 days back, but just saw an error response in the >>> spam folder asking to subscribe first. >>> >>> We are using Tomcat 9.0.37 x64 on Windows Server 2016 OS and the NIO >>> connector with JSSE, without an underlying OpenSSL. >>> >>> As per Tomcat 9 docs, the only mention of FIPS compliant operation I >>> see is in the config of APR lifecycle listener, with the expectation >>> of an underlying OpenSSL implementation that can be set to FIPS >>> enabled mode. Ref: >>> https://tomcat.apache.org/tomcat-9.0-doc/config/listeners.html >>> >>> Is it possible to be FIPS compliant with the usage of Tomcat, >>> without the above setting? We were thinking of using BouncyCastle >>> FIPS as the underlying Java crypto provider instead of OpenSSL for >>> multiple reasons. >>> >>> Are there any other dependencies Tomcat has on the underlying stack, >>> besides that provided by a Java crypto provider like BC-FIPS, having >>> a bearing on FIPS compliance? >>> >>> Please advise, as this is urgent for a FIPS compliance decision. >>> >> >> Please check the README of this project - >> https://github.com/amitlpande/tomcat-9-fips >> Amit Pande recently shared it here at users@. >> >> Regards, >> Martin >> >> >>> >>> Thanks, >>> Avik Ray >>> >>> >>> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >> > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org