Thanks Christopher. Yes I do have some regulatory requirement to use FIPS and I have built the FIPS capable OpenSSL lib. I tried to add the "SSLFIPS on" parameter to the httpd.conf config file as suggested in the ssl_mod manual page, but the httpd failed to start with errors which seemed to due to the fact that my apache server was not compiled against an SSL library which support the FIPS_mode flag.
I need helps with guidance of how to compile apache server with FIPS capable OpenSSL lib so that the Apache server can be operating under the OpenSSL FIPS mode. Thanks. On Tue, Feb 9, 2016 at 5:49 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Rich, > > On 2/8/16 3:25 PM, cloud force wrote: > > Hi All: > > > > From the mod_ssl doc, it mentioned: "If httpd was compiled against > > an SSL library which did not support the FIPS_mode flag, |SSLFIPS > > on| will fail." > > > > How do I compile apache (version 2.2) with FIPS capable OpenSSL > > library? > > It's not Apache httpd that needs to be compiled for FIPS, it's > OpenSSL. So if you have a FIPS-capable OpenSSL library, you should be > okay. > > Building a FIPS-capable OpenSSL is possible, but requires some steps > on top of the usual OpenSSL build process: > > http://openssl.org/docs/fips.html > > Unless you have some regulatory requirement to use FIPS, I wouldn't > bother with the whole mess. FIPS does two things: (1) validates the > library on startup to ensure it hasn't been tampered with (which I > suppose is good) and (2) mandates a specific set of hashes, ciphers, > etc. (bad). The reason #2 is bad is because the set of ciphers > required by FIPS includes known weak ciphers, and probably also > contains unknown weak ciphers, too. > > AFAICR, FIPS also will not allow you to use additional ciphers on top > of the FIPS requirements, so you aren't allowed to use the latest and > greatest ciphers recommended by security experts. > > (Finally, it's unclear whether or not it's actually possible to > produce a FIPS-compliant implementation *at all*, so the whole thing > is a farce, anyway.) > > So, unless you have a specific and unyielding requirement to use a > FIPS-compliant library, save your time and just configure your > non-FIPS-compliant server in a sane way and you'll be fine. > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAla57nUACgkQ9CaO5/Lv0PAyTwCeLBOwi8VV9W5vngMc01ae62vC > O6wAnjglbjMq8S3+ZEyU1jch6wH4d7HW > =NJnj > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
