httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Trent <Michael.Tr...@xerox.com>
Subject Re: [users@httpd] FIPS 140_2 compliant for mod_proxy?
Date Wed, 03 Mar 2010 14:34:51 GMT

Unfortunatley restricting the algorithms to FIPS compliant algorithms in the
apache configs is not good enough to claim FIPS 140-2 compliance. The
openSSL library 'must' be running in FIPS mode. It is a requirement of FIPS
140-2 that the module doing the cryptographic functions is a FIPS
'validated' module. When in FIPS mode SSL will automatically restrict the
algorithms.  Perhaps I need to post this on the openSSL forum instead.

Thanks again.


Krist van Besien wrote:
> 
> 
> Of course it could be that when operating as a client Apache assumes
> that it is the server it communicates with that will enforce FIPS
> compliance. However, you can probably make it compliant by restricting
> the cyphers it will use as a client. That is why I suggested you look
> in to the possibilitiess the SSLProxy* directives offer. If you
> consult the mod_ssl documentation you will see that there is a
> directive  SSLProxyCipherSuite, that you can use to limit the ciphers
> offered in the HELLO packet.
> 
> 
> Krist
> 
> -- 
> krist.vanbesien@gmail.com
> krist@vanbesien.org
> Bremgarten b. Bern, Switzerland
> --
> 

-- 
View this message in context: http://old.nabble.com/FIPS-140_2-compliant-for-mod_proxy--tp27748496p27768938.html
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message