Avik,
On 11/6/20 14:50, Avik Ray wrote:
Thanks a lot Anil for the detailed readme, and Martin for pointing me to it.
We have done most of these configs. Are these steps sufficient to ensure
that all incoming and outgoing TLS connections are FIPS compliant?
This isn't something that the Tomcat community can really comment on. If
you have a requirement to be FIPS-compliant, then you will need to
evaluate whether of not you have met that requirement yourself.
Or is there also a need to compile an APR connector with an underlying
implementation of openssl?
You do not NEED to do this, but it is a possibility that will allow you
to definitely put the crypto engine into "FIPS mode".
Is the APR approach just an alternative to the JSSE approach covered in
Anil's readme, and both hold equally good to be FIPS compliant?
Theoretically, yes.
It's also possible, I believe, to make The Sun/Oracle JSSE provider FIPS
compliant. Hmm maybe not: https://stackoverflow.com/a/5047855/276232
(FYI Stephen Colebourne tends to know what he's talking about.) It's a
little unclear to me whether or not this is possible, while OpenSSL has
very good documentation for how to build a FIPS-compliant binary library
and then put it in the right mode.
How FIPS-compliant do you actually need to be? It's pretty trivial to
make sure that you support certain algorithms, etc. and that you disable
other ones. FIPS, however, technically requires that you enable certain
algorithms that really should no longer be used. These days, strict FIPS
compliance is IMHO a risk to be avoided.
-chris
On Fri, 6 Nov, 2020, 12:51 Martin Grigorov, <mgrigo...@apache.org> wrote:
Hi,
On Fri, Nov 6, 2020 at 8:57 AM Avik Ray <avikra...@gmail.com> wrote:
Dear team,
Sending this query again after subscribing to the mailing list. Sent
it originally 3 days back, but just saw an error response in the spam
folder asking to subscribe first.
We are using Tomcat 9.0.37 x64 on Windows Server 2016 OS and the NIO
connector with JSSE, without an underlying OpenSSL.
As per Tomcat 9 docs, the only mention of FIPS compliant operation I
see is in the config of APR lifecycle listener, with the expectation
of an underlying OpenSSL implementation that can be set to FIPS
enabled mode. Ref:
https://tomcat.apache.org/tomcat-9.0-doc/config/listeners.html
Is it possible to be FIPS compliant with the usage of Tomcat, without
the above setting? We were thinking of using BouncyCastle FIPS as the
underlying Java crypto provider instead of OpenSSL for multiple
reasons.
Are there any other dependencies Tomcat has on the underlying stack,
besides that provided by a Java crypto provider like BC-FIPS, having a
bearing on FIPS compliance?
Please advise, as this is urgent for a FIPS compliance decision.
Please check the README of this project -
https://github.com/amitlpande/tomcat-9-fips
Amit Pande recently shared it here at users@.
Regards,
Martin
Thanks,
Avik Ray
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
