httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [users@httpd] How to build Apache with FIPS mode capable?
Date Tue, 09 Feb 2016 13:49:41 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rich,

On 2/8/16 3:25 PM, cloud force wrote:
> Hi All:
> 
> From the mod_ssl doc, it mentioned: "If httpd was compiled against
> an SSL library which did not support the FIPS_mode flag, |SSLFIPS
> on| will fail."
> 
> How do I compile apache (version 2.2) with FIPS capable OpenSSL
> library?

It's not Apache httpd that needs to be compiled for FIPS, it's
OpenSSL. So if you have a FIPS-capable OpenSSL library, you should be
okay.

Building a FIPS-capable OpenSSL is possible, but requires some steps
on top of the usual OpenSSL build process:

http://openssl.org/docs/fips.html

Unless you have some regulatory requirement to use FIPS, I wouldn't
bother with the whole mess. FIPS does two things: (1) validates the
library on startup to ensure it hasn't been tampered with (which I
suppose is good) and (2) mandates a specific set of hashes, ciphers,
etc. (bad). The reason #2 is bad is because the set of ciphers
required by FIPS includes known weak ciphers, and probably also
contains unknown weak ciphers, too.

AFAICR, FIPS also will not allow you to use additional ciphers on top
of the FIPS requirements, so you aren't allowed to use the latest and
greatest ciphers recommended by security experts.

(Finally, it's unclear whether or not it's actually possible to
produce a FIPS-compliant implementation *at all*, so the whole thing
is a farce, anyway.)

So, unless you have a specific and unyielding requirement to use a
FIPS-compliant library, save your time and just configure your
non-FIPS-compliant server in a sane way and you'll be fine.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla57nUACgkQ9CaO5/Lv0PAyTwCeLBOwi8VV9W5vngMc01ae62vC
O6wAnjglbjMq8S3+ZEyU1jch6wH4d7HW
=NJnj
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message