https://issues.apache.org/bugzilla/show_bug.cgi?id=56027
--- Comment #14 from Rob Sanders <rsand...@trustedcs.com> --- I remember reading some of the SSL docs that certain key lengths may be invalid for regular use, they are valid for key agreement/establishment. Quoting from the somewhat confusing section 2.6.2 of the OpenSSL FIPS140 Userguide (v2.0) PDF: === Algorithms Available in FIPS Mode Only the algorithms listed in tables 4a and 4b of the Security Policy are allowed in FIPS mode. Note that Diffie-Hellman and RSA are allowed in FIPS mode for key agreement and key establishment even though they are “Non-Approved” for that purpose. RSA for sign and verify is “Approved” and hence also allowed, along with all the other Approved algorithms listed in that table === Rather than hardcode in TCN what approved keys are, is there a way to ask the underlying openssl implementation what *it* thinks are acceptable? I don't have an answer for that. What I did to make things work back in January was comment out the 512 bit RSA key generation in TCN before building (along with adding a check to see if FIPS mode was already set). -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
