Can Tomcat 9 be FIPS compliant without OpenSSL?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Can Tomcat 9 be FIPS compliant without OpenSSL?

Avik Ray
Dear team,
Sending this query again after subscribing to the mailing list. Sent
it originally 3 days back, but just saw an error response in the spam
folder asking to subscribe first.

We are using Tomcat 9.0.37 x64 on Windows Server 2016 OS and the NIO
connector with JSSE, without an underlying OpenSSL.

As per Tomcat 9 docs, the only mention of FIPS compliant operation I
see is in the config of APR lifecycle listener, with the expectation
of an underlying OpenSSL implementation that can be set to FIPS
enabled mode. Ref:
https://tomcat.apache.org/tomcat-9.0-doc/config/listeners.html

Is it possible to be FIPS compliant with the usage of Tomcat, without
the above setting? We were thinking of using BouncyCastle FIPS as the
underlying Java crypto provider instead of OpenSSL for multiple
reasons.

Are there any other dependencies Tomcat has on the underlying stack,
besides that provided by a Java crypto provider like BC-FIPS, having a
bearing on FIPS compliance?

Please advise, as this is urgent for a FIPS compliance decision.

Thanks,
Avik Ray

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

mgrigorov
Hi,

On Fri, Nov 6, 2020 at 8:57 AM Avik Ray <[hidden email]> wrote:

> Dear team,
> Sending this query again after subscribing to the mailing list. Sent
> it originally 3 days back, but just saw an error response in the spam
> folder asking to subscribe first.
>
> We are using Tomcat 9.0.37 x64 on Windows Server 2016 OS and the NIO
> connector with JSSE, without an underlying OpenSSL.
>
> As per Tomcat 9 docs, the only mention of FIPS compliant operation I
> see is in the config of APR lifecycle listener, with the expectation
> of an underlying OpenSSL implementation that can be set to FIPS
> enabled mode. Ref:
> https://tomcat.apache.org/tomcat-9.0-doc/config/listeners.html
>
> Is it possible to be FIPS compliant with the usage of Tomcat, without
> the above setting? We were thinking of using BouncyCastle FIPS as the
> underlying Java crypto provider instead of OpenSSL for multiple
> reasons.
>
> Are there any other dependencies Tomcat has on the underlying stack,
> besides that provided by a Java crypto provider like BC-FIPS, having a
> bearing on FIPS compliance?
>
> Please advise, as this is urgent for a FIPS compliance decision.
>

Please check the README of this project -
https://github.com/amitlpande/tomcat-9-fips
Amit Pande recently shared it here at users@.

Regards,
Martin


>
> Thanks,
> Avik Ray
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

Avik Ray
Thanks a lot Anil for the detailed readme, and Martin for pointing me to it.

We have done most of these configs. Are these steps sufficient to ensure
that all incoming and outgoing TLS connections are FIPS compliant?

Or is there also a need to compile an APR connector with an underlying
implementation of openssl?

Is the APR approach just an alternative to the JSSE approach covered in
Anil's readme, and both hold equally good to be FIPS compliant?

Thanks,
Avik

On Fri, 6 Nov, 2020, 12:51 Martin Grigorov, <[hidden email]> wrote:

> Hi,
>
> On Fri, Nov 6, 2020 at 8:57 AM Avik Ray <[hidden email]> wrote:
>
> > Dear team,
> > Sending this query again after subscribing to the mailing list. Sent
> > it originally 3 days back, but just saw an error response in the spam
> > folder asking to subscribe first.
> >
> > We are using Tomcat 9.0.37 x64 on Windows Server 2016 OS and the NIO
> > connector with JSSE, without an underlying OpenSSL.
> >
> > As per Tomcat 9 docs, the only mention of FIPS compliant operation I
> > see is in the config of APR lifecycle listener, with the expectation
> > of an underlying OpenSSL implementation that can be set to FIPS
> > enabled mode. Ref:
> > https://tomcat.apache.org/tomcat-9.0-doc/config/listeners.html
> >
> > Is it possible to be FIPS compliant with the usage of Tomcat, without
> > the above setting? We were thinking of using BouncyCastle FIPS as the
> > underlying Java crypto provider instead of OpenSSL for multiple
> > reasons.
> >
> > Are there any other dependencies Tomcat has on the underlying stack,
> > besides that provided by a Java crypto provider like BC-FIPS, having a
> > bearing on FIPS compliance?
> >
> > Please advise, as this is urgent for a FIPS compliance decision.
> >
>
> Please check the README of this project -
> https://github.com/amitlpande/tomcat-9-fips
> Amit Pande recently shared it here at users@.
>
> Regards,
> Martin
>
>
> >
> > Thanks,
> > Avik Ray
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

Christopher Schultz-2
Avik,

On 11/6/20 14:50, Avik Ray wrote:
> Thanks a lot Anil for the detailed readme, and Martin for pointing me to it.
>
> We have done most of these configs. Are these steps sufficient to ensure
> that all incoming and outgoing TLS connections are FIPS compliant?

This isn't something that the Tomcat community can really comment on. If
you have a requirement to be FIPS-compliant, then you will need to
evaluate whether of not you have met that requirement yourself.

> Or is there also a need to compile an APR connector with an underlying
> implementation of openssl?

You do not NEED to do this, but it is a possibility that will allow you
to definitely put the crypto engine into "FIPS mode".

> Is the APR approach just an alternative to the JSSE approach covered in
> Anil's readme, and both hold equally good to be FIPS compliant?

Theoretically, yes.

It's also possible, I believe, to make The Sun/Oracle JSSE provider FIPS
compliant. Hmm maybe not: https://stackoverflow.com/a/5047855/276232
(FYI Stephen Colebourne tends to know what he's talking about.) It's a
little unclear to me whether or not this is possible, while OpenSSL has
very good documentation for how to build a FIPS-compliant binary library
and then put it in the right mode.

How FIPS-compliant do you actually need to be? It's pretty trivial to
make sure that you support certain algorithms, etc. and that you disable
other ones. FIPS, however, technically requires that you enable certain
algorithms that really should no longer be used. These days, strict FIPS
compliance is IMHO a risk to be avoided.

-chris

> On Fri, 6 Nov, 2020, 12:51 Martin Grigorov, <[hidden email]> wrote:
>
>> Hi,
>>
>> On Fri, Nov 6, 2020 at 8:57 AM Avik Ray <[hidden email]> wrote:
>>
>>> Dear team,
>>> Sending this query again after subscribing to the mailing list. Sent
>>> it originally 3 days back, but just saw an error response in the spam
>>> folder asking to subscribe first.
>>>
>>> We are using Tomcat 9.0.37 x64 on Windows Server 2016 OS and the NIO
>>> connector with JSSE, without an underlying OpenSSL.
>>>
>>> As per Tomcat 9 docs, the only mention of FIPS compliant operation I
>>> see is in the config of APR lifecycle listener, with the expectation
>>> of an underlying OpenSSL implementation that can be set to FIPS
>>> enabled mode. Ref:
>>> https://tomcat.apache.org/tomcat-9.0-doc/config/listeners.html
>>>
>>> Is it possible to be FIPS compliant with the usage of Tomcat, without
>>> the above setting? We were thinking of using BouncyCastle FIPS as the
>>> underlying Java crypto provider instead of OpenSSL for multiple
>>> reasons.
>>>
>>> Are there any other dependencies Tomcat has on the underlying stack,
>>> besides that provided by a Java crypto provider like BC-FIPS, having a
>>> bearing on FIPS compliance?
>>>
>>> Please advise, as this is urgent for a FIPS compliance decision.
>>>
>>
>> Please check the README of this project -
>> https://github.com/amitlpande/tomcat-9-fips
>> Amit Pande recently shared it here at users@.
>>
>> Regards,
>> Martin
>>
>>
>>>
>>> Thanks,
>>> Avik Ray
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [hidden email]
>>> For additional commands, e-mail: [hidden email]
>>>
>>>
>>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

Amit Pande
Avik,

Did you happen to try out the steps in README https://github.com/amitlpande/tomcat-9-fips here? I am looking for feedback from the community before I could add these steps (and some more) on Tomcat Security FAQ page. So, really appreciate your (and others') feedback.

The steps above rely purely on JSSE and JCA/JCE providers, no OpenSSL use.

These steps will enable a plain vanilla Tomcat to run in FIPS compliant mode. And as Chris mentioned below, we need to ensure any web app deployed within the Tomcat use FIPS compliant constructs.

Thanks,
Amit

-----Original Message-----
From: Christopher Schultz <[hidden email]>
Sent: Friday, November 6, 2020 3:40 PM
To: Tomcat Users List <[hidden email]>; Avik Ray <[hidden email]>
Subject: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

Avik,

On 11/6/20 14:50, Avik Ray wrote:
> Thanks a lot Anil for the detailed readme, and Martin for pointing me to it.
>
> We have done most of these configs. Are these steps sufficient to
> ensure that all incoming and outgoing TLS connections are FIPS compliant?

This isn't something that the Tomcat community can really comment on. If you have a requirement to be FIPS-compliant, then you will need to evaluate whether of not you have met that requirement yourself.

> Or is there also a need to compile an APR connector with an underlying
> implementation of openssl?

You do not NEED to do this, but it is a possibility that will allow you to definitely put the crypto engine into "FIPS mode".

> Is the APR approach just an alternative to the JSSE approach covered
> in Anil's readme, and both hold equally good to be FIPS compliant?

Theoretically, yes.

It's also possible, I believe, to make The Sun/Oracle JSSE provider FIPS compliant. Hmm maybe not: https://stackoverflow.com/a/5047855/276232
(FYI Stephen Colebourne tends to know what he's talking about.) It's a little unclear to me whether or not this is possible, while OpenSSL has very good documentation for how to build a FIPS-compliant binary library and then put it in the right mode.

How FIPS-compliant do you actually need to be? It's pretty trivial to make sure that you support certain algorithms, etc. and that you disable other ones. FIPS, however, technically requires that you enable certain algorithms that really should no longer be used. These days, strict FIPS compliance is IMHO a risk to be avoided.

-chris

> On Fri, 6 Nov, 2020, 12:51 Martin Grigorov, <[hidden email]> wrote:
>
>> Hi,
>>
>> On Fri, Nov 6, 2020 at 8:57 AM Avik Ray <[hidden email]> wrote:
>>
>>> Dear team,
>>> Sending this query again after subscribing to the mailing list. Sent
>>> it originally 3 days back, but just saw an error response in the
>>> spam folder asking to subscribe first.
>>>
>>> We are using Tomcat 9.0.37 x64 on Windows Server 2016 OS and the NIO
>>> connector with JSSE, without an underlying OpenSSL.
>>>
>>> As per Tomcat 9 docs, the only mention of FIPS compliant operation I
>>> see is in the config of APR lifecycle listener, with the expectation
>>> of an underlying OpenSSL implementation that can be set to FIPS
>>> enabled mode. Ref:
>>> https://tomcat.apache.org/tomcat-9.0-doc/config/listeners.html
>>>
>>> Is it possible to be FIPS compliant with the usage of Tomcat,
>>> without the above setting? We were thinking of using BouncyCastle
>>> FIPS as the underlying Java crypto provider instead of OpenSSL for
>>> multiple reasons.
>>>
>>> Are there any other dependencies Tomcat has on the underlying stack,
>>> besides that provided by a Java crypto provider like BC-FIPS, having
>>> a bearing on FIPS compliance?
>>>
>>> Please advise, as this is urgent for a FIPS compliance decision.
>>>
>>
>> Please check the README of this project -
>> https://github.com/amitlpande/tomcat-9-fips
>> Amit Pande recently shared it here at users@.
>>
>> Regards,
>> Martin
>>
>>
>>>
>>> Thanks,
>>> Avik Ray
>>>
>>> --------------------------------------------------------------------
>>> - To unsubscribe, e-mail: [hidden email]
>>> For additional commands, e-mail: [hidden email]
>>>
>>>
>>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]