On 1/30/2011 8:20 AM, Christopher Schultz wrote: > Chris, > > On 1/27/2011 3:54 PM, Chris Beckey wrote: >> Chris, >> To set some context, I posted on the tomcat users list serve a question >> about running OpenSSL in FIPS mode under Tomcat. >> The last communication was that you may investigate an enhancement. >> Since then, one of my co-workers took on the C coding side and I took on >> the Java side. I believe that we have it running now but I still have >> testing to complete before I'd call it stable >> As you may know the FIPS compliant version of OpenSSL is not the current >> version. What we have running is: >> Tomcat V 6.0.20 >> OpenSSL FIPS module V 1.2.2 >> Open SSL V 0.9.6q >> tcnative V 1.1.20 >> APR V 1.4.2 >> I have found that the versions used are critical, these were the newest >> versions of the libraries I could get to work together, with the exception >> of Tomcat itself. Usage of 6.0.20 is simply because that is what our >> application is to be released on. >> Anyway, the point of this email is to inquire whether you would like the >> code for integration back into the code base? I also have a fairly detailed >> list of steps used to do the build(s).
Note this isn't enough, if you did not call FIPS_mode_set(), you aren't running FIPS validated code. The nice way to do this would be to enhance tcnative to accept a global config value (not connector-by-connector) to trigger the FIPS_mode_set() at startup, and ensure there is enough error reporting back to the tomcat initialization code to inform the user of the reason for failure, when and if that call is rejected. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
