httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: [users@httpd] How to build Apache with FIPS mode capable?
Date Tue, 09 Feb 2016 13:49:41 GMT
Hash: SHA1


On 2/8/16 3:25 PM, cloud force wrote:
> Hi All:
> From the mod_ssl doc, it mentioned: "If httpd was compiled against
> an SSL library which did not support the FIPS_mode flag, |SSLFIPS
> on| will fail."
> How do I compile apache (version 2.2) with FIPS capable OpenSSL
> library?

It's not Apache httpd that needs to be compiled for FIPS, it's
OpenSSL. So if you have a FIPS-capable OpenSSL library, you should be

Building a FIPS-capable OpenSSL is possible, but requires some steps
on top of the usual OpenSSL build process:

Unless you have some regulatory requirement to use FIPS, I wouldn't
bother with the whole mess. FIPS does two things: (1) validates the
library on startup to ensure it hasn't been tampered with (which I
suppose is good) and (2) mandates a specific set of hashes, ciphers,
etc. (bad). The reason #2 is bad is because the set of ciphers
required by FIPS includes known weak ciphers, and probably also
contains unknown weak ciphers, too.

AFAICR, FIPS also will not allow you to use additional ciphers on top
of the FIPS requirements, so you aren't allowed to use the latest and
greatest ciphers recommended by security experts.

(Finally, it's unclear whether or not it's actually possible to
produce a FIPS-compliant implementation *at all*, so the whole thing
is a farce, anyway.)

So, unless you have a specific and unyielding requirement to use a
FIPS-compliant library, save your time and just configure your
non-FIPS-compliant server in a sane way and you'll be fine.

- -chris
Comment: GPGTools -
Comment: Using GnuPG with Thunderbird -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message