Avik, Did you happen to try out the steps in README https://github.com/amitlpande/tomcat-9-fips here? I am looking for feedback from the community before I could add these steps (and some more) on Tomcat Security FAQ page. So, really appreciate your (and others') feedback.
The steps above rely purely on JSSE and JCA/JCE providers, no OpenSSL use. These steps will enable a plain vanilla Tomcat to run in FIPS compliant mode. And as Chris mentioned below, we need to ensure any web app deployed within the Tomcat use FIPS compliant constructs. Thanks, Amit -----Original Message----- From: Christopher Schultz <ch...@christopherschultz.net> Sent: Friday, November 6, 2020 3:40 PM To: Tomcat Users List <users@tomcat.apache.org>; Avik Ray <avikra...@gmail.com> Subject: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL? Avik, On 11/6/20 14:50, Avik Ray wrote: > Thanks a lot Anil for the detailed readme, and Martin for pointing me to it. > > We have done most of these configs. Are these steps sufficient to > ensure that all incoming and outgoing TLS connections are FIPS compliant? This isn't something that the Tomcat community can really comment on. If you have a requirement to be FIPS-compliant, then you will need to evaluate whether of not you have met that requirement yourself. > Or is there also a need to compile an APR connector with an underlying > implementation of openssl? You do not NEED to do this, but it is a possibility that will allow you to definitely put the crypto engine into "FIPS mode". > Is the APR approach just an alternative to the JSSE approach covered > in Anil's readme, and both hold equally good to be FIPS compliant? Theoretically, yes. It's also possible, I believe, to make The Sun/Oracle JSSE provider FIPS compliant. Hmm maybe not: https://stackoverflow.com/a/5047855/276232 (FYI Stephen Colebourne tends to know what he's talking about.) It's a little unclear to me whether or not this is possible, while OpenSSL has very good documentation for how to build a FIPS-compliant binary library and then put it in the right mode. How FIPS-compliant do you actually need to be? It's pretty trivial to make sure that you support certain algorithms, etc. and that you disable other ones. FIPS, however, technically requires that you enable certain algorithms that really should no longer be used. These days, strict FIPS compliance is IMHO a risk to be avoided. -chris > On Fri, 6 Nov, 2020, 12:51 Martin Grigorov, <mgrigo...@apache.org> wrote: > >> Hi, >> >> On Fri, Nov 6, 2020 at 8:57 AM Avik Ray <avikra...@gmail.com> wrote: >> >>> Dear team, >>> Sending this query again after subscribing to the mailing list. Sent >>> it originally 3 days back, but just saw an error response in the >>> spam folder asking to subscribe first. >>> >>> We are using Tomcat 9.0.37 x64 on Windows Server 2016 OS and the NIO >>> connector with JSSE, without an underlying OpenSSL. >>> >>> As per Tomcat 9 docs, the only mention of FIPS compliant operation I >>> see is in the config of APR lifecycle listener, with the expectation >>> of an underlying OpenSSL implementation that can be set to FIPS >>> enabled mode. Ref: >>> https://tomcat.apache.org/tomcat-9.0-doc/config/listeners.html >>> >>> Is it possible to be FIPS compliant with the usage of Tomcat, >>> without the above setting? We were thinking of using BouncyCastle >>> FIPS as the underlying Java crypto provider instead of OpenSSL for >>> multiple reasons. >>> >>> Are there any other dependencies Tomcat has on the underlying stack, >>> besides that provided by a Java crypto provider like BC-FIPS, having >>> a bearing on FIPS compliance? >>> >>> Please advise, as this is urgent for a FIPS compliance decision. >>> >> >> Please check the README of this project - >> https://github.com/amitlpande/tomcat-9-fips >> Amit Pande recently shared it here at users@. >> >> Regards, >> Martin >> >> >>> >>> Thanks, >>> Avik Ray >>> >>> -------------------------------------------------------------------- >>> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
