Thanks, Chris and Remy. Your comments got me thinking about something I hadn't considered...EPEL. tc-native is available on EPEL as tomcat-native. It turns out that this may not need to be compiled against a FIPS-capable OpenSSL so long as the OpenSSL installation on the target system is FIPS-capable. I installed this package and set 'FIPSMode="on"' for the APRLifecycleListener and I can see in catalina-<data>.log:
INFO: Initializing FIPS mode... Feb 12, 2016 10:28:49 PM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: Successfully entered FIPS mode On Fri, Feb 12, 2016 at 4:23 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Rémy, > > On 2/12/16 2:35 PM, Rémy Maucherat wrote: > > 2016-02-12 20:13 GMT+01:00 Lesley Kimmel > > <lesley.j.kim...@gmail.com>: > > > >> I am using Red Hat which provides the FIPS-enabled OpenSSL. I > >> have been doing some more reading and it appears that I also now > >> have to build the Tomcat Native libraries against APR and > >> OpenSSL. It does not appear that Red Hat provides a pre-compiled > >> version of these tc-native libraries. > > > > Hmm, really ? > > http://koji.fedoraproject.org/koji/packageinfo?packageID=4979 > > Nice to see that. Any idea if those were built against the > FIPS-capable OpenSSL package(s)? > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAla+W2QACgkQ9CaO5/Lv0PDPewCdFMMVJxr5vh2j191+sL+qZB1C > 4bAAoJ+ids5iOBlzwReAhOTFdUvcW5Eb > =Yotm > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
