Thanks a lot Anil for the detailed readme, and Martin for pointing me to it.
We have done most of these configs. Are these steps sufficient to ensure that all incoming and outgoing TLS connections are FIPS compliant? Or is there also a need to compile an APR connector with an underlying implementation of openssl? Is the APR approach just an alternative to the JSSE approach covered in Anil's readme, and both hold equally good to be FIPS compliant? Thanks, Avik On Fri, 6 Nov, 2020, 12:51 Martin Grigorov, <mgrigo...@apache.org> wrote: > Hi, > > On Fri, Nov 6, 2020 at 8:57 AM Avik Ray <avikra...@gmail.com> wrote: > > > Dear team, > > Sending this query again after subscribing to the mailing list. Sent > > it originally 3 days back, but just saw an error response in the spam > > folder asking to subscribe first. > > > > We are using Tomcat 9.0.37 x64 on Windows Server 2016 OS and the NIO > > connector with JSSE, without an underlying OpenSSL. > > > > As per Tomcat 9 docs, the only mention of FIPS compliant operation I > > see is in the config of APR lifecycle listener, with the expectation > > of an underlying OpenSSL implementation that can be set to FIPS > > enabled mode. Ref: > > https://tomcat.apache.org/tomcat-9.0-doc/config/listeners.html > > > > Is it possible to be FIPS compliant with the usage of Tomcat, without > > the above setting? We were thinking of using BouncyCastle FIPS as the > > underlying Java crypto provider instead of OpenSSL for multiple > > reasons. > > > > Are there any other dependencies Tomcat has on the underlying stack, > > besides that provided by a Java crypto provider like BC-FIPS, having a > > bearing on FIPS compliance? > > > > Please advise, as this is urgent for a FIPS compliance decision. > > > > Please check the README of this project - > https://github.com/amitlpande/tomcat-9-fips > Amit Pande recently shared it here at users@. > > Regards, > Martin > > > > > > Thanks, > > Avik Ray > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > >
