FIPS 140_2 compliant for mod_proxy?
FIPS 140_2 compliant for mod_proxy?
am 01.03.2010 21:16:05 von Michael.Trent
We have apache httpd running in FIPS 140-2 mode for SSL and it runs
correctly. FIPS is enabled and only FIPS compliant algorithms are used.
However when running in proxy mode (mod_proxy) the SSL handshaking to the
server indicates that apache mod_proxy is not running in FIPS mode. Is there
a patch for mod_proxy to put this in FIPS mode? (It seems that the standard
patch for FIPS for apache does not enable FIPS for proxy).
Thanks.
--
View this message in context: http://old.nabble.com/FIPS-140_2-compliant-for-mod_proxy--tp 27748496p27748496.html
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.
------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: FIPS 140_2 compliant for mod_proxy?
am 01.03.2010 21:35:28 von galoula
I don't understand what do you talk about SSL, because, maybe I try to =
connect on 443, but I don't have any echo.
If apache send data to php script, my script just repeat the data =
(echo). Here my PHP script can get only the first request. This isn't =
php in cause, because the strace don't view any data send to php-cgi =
when I wrote anything on the connection (but TCPDUMP can view the data =
on port 80, it's normal, this is the port of proxy script through =
apache)
Le 1 mars 2010 =E0 21:16, Mike Trent a =E9crit :
>=20
> We have apache httpd running in FIPS 140-2 mode for SSL and it runs
> correctly. FIPS is enabled and only FIPS compliant algorithms are =
used.
> However when running in proxy mode (mod_proxy) the SSL handshaking to =
the
> server indicates that apache mod_proxy is not running in FIPS mode. Is =
there
> a patch for mod_proxy to put this in FIPS mode? (It seems that the =
standard
> patch for FIPS for apache does not enable FIPS for proxy).
>=20
> Thanks.
>=20
> --=20
> View this message in context: =
http://old.nabble.com/FIPS-140_2-compliant-for-mod_proxy--tp 27748496p27748=
496.html
> Sent from the Apache HTTP Server - Users mailing list archive at =
Nabble.com.
>=20
>=20
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server =
Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>=20
------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: FIPS 140_2 compliant for mod_proxy?
am 01.03.2010 21:49:54 von Michael.Trent
I am asking if FIPS 140-2 support is available for mod_proxy when running
SSL. It is supported in apache SSL proper with this patch:
https://issues.apache.org/bugzilla/show_bug.cgi?id=3D46270
https://issues.apache.org/bugzilla/show_bug.cgi?id=3D46270=2 0
You seem to be referring to another discussion thread, not this one.
Gaël PERRON wrote:
>=20
> I don't understand what do you talk about SSL, because, maybe I try to
> connect on 443, but I don't have any echo.
>=20
> If apache send data to php script, my script just repeat the data (echo).
> Here my PHP script can get only the first request. This isn't php in
> cause, because the strace don't view any data send to php-cgi when I wrot=
e
> anything on the connection (but TCPDUMP can view the data on port 80, it'=
s
> normal, this is the port of proxy script through apache)
>=20
> Le 1 mars 2010 à 21:16, Mike Trent a écrit :
>=20
>>=20
>> We have apache httpd running in FIPS 140-2 mode for SSL and it runs
>> correctly. FIPS is enabled and only FIPS compliant algorithms are used.
>> However when running in proxy mode (mod_proxy) the SSL handshaking to th=
e
>> server indicates that apache mod_proxy is not running in FIPS mode. Is
>> there
>> a patch for mod_proxy to put this in FIPS mode? (It seems that the
>> standard
>> patch for FIPS for apache does not enable FIPS for proxy).
>>=20
>> Thanks.
>>=20
>> --=20
>> View this message in context:
>> http://old.nabble.com/FIPS-140_2-compliant-for-mod_proxy--tp 27748496p277=
48496.html
>> Sent from the Apache HTTP Server - Users mailing list archive at
>> Nabble.com.
>>=20
>>=20
>> ------------------------------------------------------------ ---------
>> The official User-To-User support forum of the Apache HTTP Server
>> Project.
>> See for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>=20
>=20
>=20
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project=
..
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>=20
>=20
>=20
--=20
View this message in context: http://old.nabble.com/FIPS-140_2-compliant-fo=
r-mod_proxy--tp27748496p27748887.html
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com=
..
------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: FIPS 140_2 compliant for mod_proxy?
am 02.03.2010 08:21:43 von Krist van Besien
On Mon, Mar 1, 2010 at 9:49 PM, Mike Trent wrote:
>
> I am asking if FIPS 140-2 support is available for mod_proxy when running
> SSL. It is supported in apache SSL proper with this patch:
mod_proxy itself never "runs" SSL. SSL is always handled by mod_ssl.
What is it exactly that you are trying to do? Could you be more
specific? An exceprt from your config would be usefull.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: FIPS 140_2 compliant for mod_proxy?
am 02.03.2010 14:39:26 von Michael.Trent
We have no problem running mod_proxy over SSL (via mod_ssl). It is the FIPS
mode that is our problem.
There is a patch that turns on FIPS mode in mod_ssl (listed in my last post)
We can run apache as a server for HTTPS (SSL) in FIPS mode. However when
communicating over HTTPS (SSL) via mod_proxy - mod_ssl is not running FIPS
mode. This can be verified by running a line trace and seeing that the TLS
handshaking client HELLO packet presents a cipher suite that includes non
FIPS compliant algorithms (RC4 for example).
While running in server mode (not using mod_proxy) FIPS is enabled properly.
This can be seen in the TLS server HELLO which presents only FIPS compliant
algorithms such as 3DES.
i.e.
SSL - as a server -FIPS compliant
SSL - as a client via mod_proxy - not FIPS compliant
Thanks.
--
View this message in context: http://old.nabble.com/FIPS-140_2-compliant-for-mod_proxy--tp 27748496p27756000.html
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.
------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: FIPS 140_2 compliant for mod_proxy?
am 03.03.2010 11:34:01 von Krist van Besien
On Tue, Mar 2, 2010 at 2:39 PM, Mike Trent wrote:
> There is a patch that turns on FIPS mode in mod_ssl (listed in my last post)
> We can run apache as a server for HTTPS (SSL) in FIPS mode. However when
> communicating over HTTPS (SSL) via mod_proxy - mod_ssl is not running FIPS
> mode. This can be verified by running a line trace and seeing that the TLS
> handshaking client HELLO packet presents a cipher suite that includes non
> FIPS compliant algorithms (RC4 for example).
>
> While running in server mode (not using mod_proxy) FIPS is enabled properly.
> This can be seen in the TLS server HELLO which presents only FIPS compliant
> algorithms such as 3DES.
>
> i.e.
> SSL - as a server -FIPS compliant
I would love to help you, but I need more information from you in
order to do so. I have trouble finding out what it is exactly that you
are trying to achieve, and in what way, because the context fail.
Precise language us usefull. I have trouble trying to imagine what you
mean with "running in proxy mode" and "via mod_proxy". That is where
the exact language of a config file helps.
So please, just post us the SSL part of your config, and we may be
able to point out to you what you need to modify.
> SSL - as a client via mod_proxy - not FIPS compliant
Are you saying that apache is here acting as an SSL client in an non -
FIPS compliant way? ie. apache is here used by you as a proxy that
forwards towards an https server? In that case have a look at the
SSLProxy* directives.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: FIPS 140_2 compliant for mod_proxy?
am 03.03.2010 15:12:06 von Michael.Trent
Thanks for the response.
Yes, we are running apache acting as an SSL client. And yes I am saying that
apache is running as a proxy that forwards towards an HTTPS server.
It does communicate in SSL so there is no issue with the SSL directives in
the config. But for your interest here are the pertinent lines we have in
the proxy.conf file:
SSLProxyEngine on
SSLProxyProtocol all
The issue is FIPS 140-2 compliance. As a server, apache runs SSL in FIPS
140-2 compliance, but does not run SSL in FIPS 140-2 compliance as a client.
As stated in the early post the FIPS 140-2 patch was applied but does not
seem to have an affect on apache when acting as a client as a proxy.
This is a FIPS 140-2 compliance issue not an SSL issue. The SSL
communication is fine.
Thank you.
Krist van Besien wrote:
>
> I would love to help you, but I need more information from you in
> order to do so. I have trouble finding out what it is exactly that you
> are trying to achieve, and in what way, because the context fail.
> Precise language us usefull. I have trouble trying to imagine what you
> mean with "running in proxy mode" and "via mod_proxy". That is where
> the exact language of a config file helps.
> So please, just post us the SSL part of your config, and we may be
> able to point out to you what you need to modify.
>
>> SSL - as a client via mod_proxy - not FIPS compliant
>
> Are you saying that apache is here acting as an SSL client in an non -
> FIPS compliant way? ie. apache is here used by you as a proxy that
> forwards towards an https server? In that case have a look at the
> SSLProxy* directives.
>
> Krist
>
>
--
View this message in context: http://old.nabble.com/FIPS-140_2-compliant-for-mod_proxy--tp 27748496p27768701.html
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.
------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: FIPS 140_2 compliant for mod_proxy?
am 03.03.2010 15:21:48 von Krist van Besien
On Wed, Mar 3, 2010 at 3:12 PM, Mike Trent wrote:
> The issue is FIPS 140-2 compliance. As a server, apache runs SSL in FIPS
> 140-2 compliance, but does not run SSL in FIPS 140-2 compliance as a client.
> As stated in the early post the FIPS 140-2 patch was applied but does not
> seem to have an affect on apache when acting as a client as a proxy.
>
> This is a FIPS 140-2 compliance issue not an SSL issue. The SSL
> communication is fine.
Of course it could be that when operating as a client Apache assumes
that it is the server it communicates with that will enforce FIPS
compliance. However, you can probably make it compliant by restricting
the cyphers it will use as a client. That is why I suggested you look
in to the possibilitiess the SSLProxy* directives offer. If you
consult the mod_ssl documentation you will see that there is a
directive SSLProxyCipherSuite, that you can use to limit the ciphers
offered in the HELLO packet.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: FIPS 140_2 compliant for mod_proxy?
am 03.03.2010 15:34:51 von Michael.Trent
Unfortunatley restricting the algorithms to FIPS compliant algorithms in the
apache configs is not good enough to claim FIPS 140-2 compliance. The
openSSL library 'must' be running in FIPS mode. It is a requirement of FIPS
140-2 that the module doing the cryptographic functions is a FIPS
'validated' module. When in FIPS mode SSL will automatically restrict the
algorithms. Perhaps I need to post this on the openSSL forum instead.
Thanks again.
Krist van Besien wrote:
>
>
> Of course it could be that when operating as a client Apache assumes
> that it is the server it communicates with that will enforce FIPS
> compliance. However, you can probably make it compliant by restricting
> the cyphers it will use as a client. That is why I suggested you look
> in to the possibilitiess the SSLProxy* directives offer. If you
> consult the mod_ssl documentation you will see that there is a
> directive SSLProxyCipherSuite, that you can use to limit the ciphers
> offered in the HELLO packet.
>
>
> Krist
>
> --
> krist.vanbesien@gmail.com
> krist@vanbesien.org
> Bremgarten b. Bern, Switzerland
> --
>
--
View this message in context: http://old.nabble.com/FIPS-140_2-compliant-for-mod_proxy--tp 27748496p27768938.html
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.
------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: FIPS 140_2 compliant for mod_proxy?
am 03.03.2010 18:11:14 von wrowe
On 3/3/2010 8:34 AM, Mike Trent wrote:
>
> Unfortunatley restricting the algorithms to FIPS compliant algorithms in the
> apache configs is not good enough to claim FIPS 140-2 compliance. The
> openSSL library 'must' be running in FIPS mode. It is a requirement of FIPS
> 140-2 that the module doing the cryptographic functions is a FIPS
> 'validated' module. When in FIPS mode SSL will automatically restrict the
> algorithms. Perhaps I need to post this on the openSSL forum instead.
It does more than that. It invokes validated implementations of those specific
algorithms, not the optimized but not FIPS approved implementations that are used
by openssl by default.
Bring it to the attention of dev@, or more specifically, raise an issue on the
httpd bugzilla against 2.2.
------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org