Dear team, Sending this query again after subscribing to the mailing list. Sent it originally 3 days back, but just saw an error response in the spam folder asking to subscribe first.
We are using Tomcat 9.0.37 x64 on Windows Server 2016 OS and the NIO connector with JSSE, without an underlying OpenSSL. As per Tomcat 9 docs, the only mention of FIPS compliant operation I see is in the config of APR lifecycle listener, with the expectation of an underlying OpenSSL implementation that can be set to FIPS enabled mode. Ref: https://tomcat.apache.org/tomcat-9.0-doc/config/listeners.html Is it possible to be FIPS compliant with the usage of Tomcat, without the above setting? We were thinking of using BouncyCastle FIPS as the underlying Java crypto provider instead of OpenSSL for multiple reasons. Are there any other dependencies Tomcat has on the underlying stack, besides that provided by a Java crypto provider like BC-FIPS, having a bearing on FIPS compliance? Please advise, as this is urgent for a FIPS compliance decision. Thanks, Avik Ray --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
