Thanks, Chris and Remy. Your comments got me thinking about something I
hadn't considered...EPEL. tc-native is available on EPEL as tomcat-native.
It turns out that this may not need to be compiled against a FIPS-capable
OpenSSL so long as the OpenSSL installation on the target system is
FIPS-capable. I installed this package and set 'FIPSMode="on"' for the
APRLifecycleListener and I can see in catalina-<data>.log:

INFO: Initializing FIPS mode...
Feb 12, 2016 10:28:49 PM org.apache.catalina.core.AprLifecycleListener
initializeSSL
INFO: Successfully entered FIPS mode



On Fri, Feb 12, 2016 at 4:23 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Rémy,
>
> On 2/12/16 2:35 PM, Rémy Maucherat wrote:
> > 2016-02-12 20:13 GMT+01:00 Lesley Kimmel
> > <lesley.j.kim...@gmail.com>:
> >
> >> I am using Red Hat which provides the FIPS-enabled OpenSSL. I
> >> have been doing some more reading and it appears that I also now
> >> have to build the Tomcat Native libraries against APR and
> >> OpenSSL. It does not appear that Red Hat provides a pre-compiled
> >> version of these tc-native libraries.
> >
> > Hmm, really ?
> > http://koji.fedoraproject.org/koji/packageinfo?packageID=4979
>
> Nice to see that. Any idea if those were built against the
> FIPS-capable OpenSSL package(s)?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAla+W2QACgkQ9CaO5/Lv0PDPewCdFMMVJxr5vh2j191+sL+qZB1C
> 4bAAoJ+ids5iOBlzwReAhOTFdUvcW5Eb
> =Yotm
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Reply via email to