Thanks for your help Chris. Unfortunately this is a non-negotiable issue with the client, I have to run in FIPS mode.
Yes, I would be willing to test the addition of a FIPS mode switch to Tomcat. The other option is for myself to make the change. It has been a while since I touched JNI so it would probably be much faster for you to make the change. What I found on running JSSE are the following links: http://www.coderanch.com/t/497494/Tomcat/FIPS-compliant-Tomcat-JSSE#2240590 -and- http://download.oracle.com/javase/6/docs/technotes/guides/security/enhancements.htmlwhere the following quote comes from "*FIPS 140 compliance for SunJSSE* - The SunJSSE provider now supports an experimental FIPS 140 compliant mode. When enabled and used in combination with the SunPKCS11 provider and an appropriate FIPS 140 certified PKCS#11 token, SunJSSE is FIPS 140 compliant. For details, see the JSSE Reference Guide<http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html> ." On 1/7/2011 4:24 PM, Chris Beckey wrote: > I need to run a FIPS 140-2 certified SSL/TLS implementation under > Tomcat 6.0.20. I have OpenSSL configured and running but I cannot > find a way to set FIPS mode in OpenSSL. I don't think there's any way to configure OpenSSL via Tomcat other than to specify the ciphers that OpenSSL will use for SSL. > From the OpenSSL > documentation it should be as simple as making a call to > FIPS_mode_set(), probably from within the AprLifecycleListener but I > can't find a configuration option nor any indication that > FIPS_mode_set() method is visible in the tcnative library or JNI > wrapper. I can't find the string "fips" (case-insensitive) anywhere in the tomcat-native code, so it must not be exposed. > Question is, has anyone run OpenSSL under Tomcat in FIPS > mode? Any help would be appreciated. If you know the ciphers allowed by FIPS, you can just specify them in your <Connector> configuration. Is that acceptable, or do you absolutely need to have FIPS mode set? (I understand these things are sometimes non-negotiable). It doesn't look like it would be a big deal to add some code to allow FIPS mode via the APR connector with OpenSSL. Would you be willing to test some of that code?
