-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Lesley,
On 2/12/16 2:13 PM, Lesley Kimmel wrote: > I am using Red Hat which provides the FIPS-enabled OpenSSL. Excellent. That's the worst part of the whole process: building a FIPS-capable library. > I have been doing some more reading and it appears that I also now > have to build the Tomcat Native libraries against APR and OpenSSL. > It does not appear that Red Hat provides a pre-compiled version of > these tc-native libraries. They may have pre-compiled binaries for tcnative but they are likely (a) not recent and (b) not built against the FIPS-capable. So, yes, you may need to rebuild tcnative yourself. Fortunately, it's not terribly difficult to build from source. I think you should only have to do the following (untested, from memory) : $ CFLAGS="-DOPENSSL_FIPS" ./configure [other flags] Thanks, - -chris > On Fri, Feb 12, 2016 at 1:10 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > Lesley, > > On 2/12/16 1:31 PM, Lesley Kimmel wrote: >>>> I am looking into how to enable FIPS in Tomcat. The way I >>>> interpret is that I can either use APR connectors with a >>>> FIPS-enabled OpenSSL or configure the java installation to >>>> utilize a 3rd party FIPS library (e.g. JSafe). Is that >>>> correct? > > Correct. > > There are some Linux package managers that already provide a > FIPS-capable OpenSSL library. I'm thinking specifically about > Amazon Linux which I'm wildly guessing is only available if you are > running in AWS. > > Other package managers may already have done the FIPS-related leg > work for you as well. > > Once you have a FIPS-capable library (be it OpenSSL or a > FIPS-capable JSSE implementation), configuring Tomcat to use it is > fairly trivial. > > The nice part about Tomcat's use of OpenSSL is that Tomcat can be > configured to *fail* if FIPS-mode is not enabled. I don't believe > the same is true for an arbitrary JSSE implementation. > > -chris >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAla+NjcACgkQ9CaO5/Lv0PDYjwCdEz+BnprAY+STmGZKEByjQsIx GWIAn27KAXq1DFfddhA4n9sRO4xtpuuO =5MFC -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
