-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rich,
On 2/8/16 3:25 PM, cloud force wrote: > Hi All: > > From the mod_ssl doc, it mentioned: "If httpd was compiled against > an SSL library which did not support the FIPS_mode flag, |SSLFIPS > on| will fail." > > How do I compile apache (version 2.2) with FIPS capable OpenSSL > library? It's not Apache httpd that needs to be compiled for FIPS, it's OpenSSL. So if you have a FIPS-capable OpenSSL library, you should be okay. Building a FIPS-capable OpenSSL is possible, but requires some steps on top of the usual OpenSSL build process: http://openssl.org/docs/fips.html Unless you have some regulatory requirement to use FIPS, I wouldn't bother with the whole mess. FIPS does two things: (1) validates the library on startup to ensure it hasn't been tampered with (which I suppose is good) and (2) mandates a specific set of hashes, ciphers, etc. (bad). The reason #2 is bad is because the set of ciphers required by FIPS includes known weak ciphers, and probably also contains unknown weak ciphers, too. AFAICR, FIPS also will not allow you to use additional ciphers on top of the FIPS requirements, so you aren't allowed to use the latest and greatest ciphers recommended by security experts. (Finally, it's unclear whether or not it's actually possible to produce a FIPS-compliant implementation *at all*, so the whole thing is a farce, anyway.) So, unless you have a specific and unyielding requirement to use a FIPS-compliant library, save your time and just configure your non-FIPS-compliant server in a sane way and you'll be fine. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAla57nUACgkQ9CaO5/Lv0PAyTwCeLBOwi8VV9W5vngMc01ae62vC O6wAnjglbjMq8S3+ZEyU1jch6wH4d7HW =NJnj -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
