Mark,
On 6/1/22 09:49, Mark Thomas wrote:
On 20/05/2022 12:43, Mark Thomas wrote:
<snip/>
Tomcat Native has not been updated for OpenSSL 3.0.x and FIPS. Code
changes in Tomcat Native are going to be required to get this to work.
After doing some work on this I have an update.
First of all, OpenSSL 3 has not yet obtained FIPS certification. You can
use the FIPS provider but it is not (yet) certified.
To use the OpenSSL 3 FIPS provider with Tomcat you need to do all of the
following:
- build Tomcat Native 1.2.x with OpenSSL 3.x
- configure OpenSSL to use the FIPS provider by default
https://www.openssl.org/docs/man3.0/man7/fips_module.html
If this is anything like OpenSSL 1.x, you will need to build OpenSSL
with FIPS enabled to begin with. It's not just a runtime setting. (I
don't claim to understand the fine details of FIPS, but IMHO it should
have been possible for OpenSSL to be built in a standard way with FIPS
operational mode being simply a runtime decision, but that isn't how
OpenSSL did things... at least not originally.)
- DO NOT configure the APRLifecycleListener to use FIPS
Oh, that's interesting :)
Is that because the provider itself is FIPS and therefore there's no
reason to have an API to specifically-enable it? Is it possible to
confirm from client code e.g. libtcnative that the module is indeed in
FIPS mode?
Although you won't see any confirmation in the logs, Tomcat Native will
be using the OpenSSL FIPS provider.
Updates are in progress so that:
- Tomcat will log a message on start when FIPS is the default provider
- setting the FIPSMode options when using OpenSSL 3 won't break things
The above will require Tomcat Native 1.2.34 onwards.
I think we might want to make a note of all this in the documentation
for the APR lifecycle listener, including all the version information
you have above.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
