2016-02-12 23:32 GMT+01:00 Lesley Kimmel <lesley.j.kim...@gmail.com>:
> Thanks, Chris and Remy. Your comments got me thinking about something I > hadn't considered...EPEL. tc-native is available on EPEL as tomcat-native. > It turns out that this may not need to be compiled against a FIPS-capable > OpenSSL so long as the OpenSSL installation on the target system is > FIPS-capable. I installed this package and set 'FIPSMode="on"' for the > APRLifecycleListener and I can see in catalina-<data>.log: > > INFO: Initializing FIPS mode... > Feb 12, 2016 10:28:49 PM org.apache.catalina.core.AprLifecycleListener > initializeSSL > INFO: Successfully entered FIPS mode > > Nice. On the distributions, there's never any static linking for libraries. Of course, it can cause compatibility issues, but when there's an OpenSSL CVE, it's actually more manageable. Rémy
