On 20/05/2022 12:43, Mark Thomas wrote:
<snip/>
Tomcat Native has not been updated for OpenSSL 3.0.x and FIPS. Code
changes in Tomcat Native are going to be required to get this to work.
After doing some work on this I have an update.
First of all, OpenSSL 3 has not yet obtained FIPS certification. You can
use the FIPS provider but it is not (yet) certified.
To use the OpenSSL 3 FIPS provider with Tomcat you need to do all of the
following:
- build Tomcat Native 1.2.x with OpenSSL 3.x
- configure OpenSSL to use the FIPS provider by default
https://www.openssl.org/docs/man3.0/man7/fips_module.html
- DO NOT configure the APRLifecycleListener to use FIPS
Although you won't see any confirmation in the logs, Tomcat Native will
be using the OpenSSL FIPS provider.
Updates are in progress so that:
- Tomcat will log a message on start when FIPS is the default provider
- setting the FIPSMode options when using OpenSSL 3 won't break things
The above will require Tomcat Native 1.2.34 onwards.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
