Can Tomcat 9 be FIPS compliant without OpenSSL?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Can Tomcat 9 be FIPS compliant without OpenSSL?

Avik Ray
Dear team,
Sending this query again after subscribing to the mailing list. Sent
it originally 3 days back, but just saw an error response in the spam
folder asking to subscribe first.

We are using Tomcat 9.0.37 x64 on Windows Server 2016 OS and the NIO
connector with JSSE, without an underlying OpenSSL.

As per Tomcat 9 docs, the only mention of FIPS compliant operation I
see is in the config of APR lifecycle listener, with the expectation
of an underlying OpenSSL implementation that can be set to FIPS
enabled mode. Ref:
https://tomcat.apache.org/tomcat-9.0-doc/config/listeners.html

Is it possible to be FIPS compliant with the usage of Tomcat, without
the above setting? We were thinking of using BouncyCastle FIPS as the
underlying Java crypto provider instead of OpenSSL for multiple
reasons.

Are there any other dependencies Tomcat has on the underlying stack,
besides that provided by a Java crypto provider like BC-FIPS, having a
bearing on FIPS compliance?

Please advise, as this is urgent for a FIPS compliance decision.

Thanks,
Avik Ray

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

Martin Grigorov
Hi,

On Fri, Nov 6, 2020 at 8:57 AM Avik Ray <[hidden email]> wrote:

> Dear team,
> Sending this query again after subscribing to the mailing list. Sent
> it originally 3 days back, but just saw an error response in the spam
> folder asking to subscribe first.
>
> We are using Tomcat 9.0.37 x64 on Windows Server 2016 OS and the NIO
> connector with JSSE, without an underlying OpenSSL.
>
> As per Tomcat 9 docs, the only mention of FIPS compliant operation I
> see is in the config of APR lifecycle listener, with the expectation
> of an underlying OpenSSL implementation that can be set to FIPS
> enabled mode. Ref:
> https://tomcat.apache.org/tomcat-9.0-doc/config/listeners.html
>
> Is it possible to be FIPS compliant with the usage of Tomcat, without
> the above setting? We were thinking of using BouncyCastle FIPS as the
> underlying Java crypto provider instead of OpenSSL for multiple
> reasons.
>
> Are there any other dependencies Tomcat has on the underlying stack,
> besides that provided by a Java crypto provider like BC-FIPS, having a
> bearing on FIPS compliance?
>
> Please advise, as this is urgent for a FIPS compliance decision.
>

Please check the README of this project -
https://github.com/amitlpande/tomcat-9-fips
Amit Pande recently shared it here at users@.

Regards,
Martin


>
> Thanks,
> Avik Ray
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

Avik Ray
Thanks a lot Anil for the detailed readme, and Martin for pointing me to it.

We have done most of these configs. Are these steps sufficient to ensure
that all incoming and outgoing TLS connections are FIPS compliant?

Or is there also a need to compile an APR connector with an underlying
implementation of openssl?

Is the APR approach just an alternative to the JSSE approach covered in
Anil's readme, and both hold equally good to be FIPS compliant?

Thanks,
Avik

On Fri, 6 Nov, 2020, 12:51 Martin Grigorov, <[hidden email]> wrote:

> Hi,
>
> On Fri, Nov 6, 2020 at 8:57 AM Avik Ray <[hidden email]> wrote:
>
> > Dear team,
> > Sending this query again after subscribing to the mailing list. Sent
> > it originally 3 days back, but just saw an error response in the spam
> > folder asking to subscribe first.
> >
> > We are using Tomcat 9.0.37 x64 on Windows Server 2016 OS and the NIO
> > connector with JSSE, without an underlying OpenSSL.
> >
> > As per Tomcat 9 docs, the only mention of FIPS compliant operation I
> > see is in the config of APR lifecycle listener, with the expectation
> > of an underlying OpenSSL implementation that can be set to FIPS
> > enabled mode. Ref:
> > https://tomcat.apache.org/tomcat-9.0-doc/config/listeners.html
> >
> > Is it possible to be FIPS compliant with the usage of Tomcat, without
> > the above setting? We were thinking of using BouncyCastle FIPS as the
> > underlying Java crypto provider instead of OpenSSL for multiple
> > reasons.
> >
> > Are there any other dependencies Tomcat has on the underlying stack,
> > besides that provided by a Java crypto provider like BC-FIPS, having a
> > bearing on FIPS compliance?
> >
> > Please advise, as this is urgent for a FIPS compliance decision.
> >
>
> Please check the README of this project -
> https://github.com/amitlpande/tomcat-9-fips
> Amit Pande recently shared it here at users@.
>
> Regards,
> Martin
>
>
> >
> > Thanks,
> > Avik Ray
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

Christopher Schultz-2
Avik,

On 11/6/20 14:50, Avik Ray wrote:
> Thanks a lot Anil for the detailed readme, and Martin for pointing me to it.
>
> We have done most of these configs. Are these steps sufficient to ensure
> that all incoming and outgoing TLS connections are FIPS compliant?

This isn't something that the Tomcat community can really comment on. If
you have a requirement to be FIPS-compliant, then you will need to
evaluate whether of not you have met that requirement yourself.

> Or is there also a need to compile an APR connector with an underlying
> implementation of openssl?

You do not NEED to do this, but it is a possibility that will allow you
to definitely put the crypto engine into "FIPS mode".

> Is the APR approach just an alternative to the JSSE approach covered in
> Anil's readme, and both hold equally good to be FIPS compliant?

Theoretically, yes.

It's also possible, I believe, to make The Sun/Oracle JSSE provider FIPS
compliant. Hmm maybe not: https://stackoverflow.com/a/5047855/276232
(FYI Stephen Colebourne tends to know what he's talking about.) It's a
little unclear to me whether or not this is possible, while OpenSSL has
very good documentation for how to build a FIPS-compliant binary library
and then put it in the right mode.

How FIPS-compliant do you actually need to be? It's pretty trivial to
make sure that you support certain algorithms, etc. and that you disable
other ones. FIPS, however, technically requires that you enable certain
algorithms that really should no longer be used. These days, strict FIPS
compliance is IMHO a risk to be avoided.

-chris

> On Fri, 6 Nov, 2020, 12:51 Martin Grigorov, <[hidden email]> wrote:
>
>> Hi,
>>
>> On Fri, Nov 6, 2020 at 8:57 AM Avik Ray <[hidden email]> wrote:
>>
>>> Dear team,
>>> Sending this query again after subscribing to the mailing list. Sent
>>> it originally 3 days back, but just saw an error response in the spam
>>> folder asking to subscribe first.
>>>
>>> We are using Tomcat 9.0.37 x64 on Windows Server 2016 OS and the NIO
>>> connector with JSSE, without an underlying OpenSSL.
>>>
>>> As per Tomcat 9 docs, the only mention of FIPS compliant operation I
>>> see is in the config of APR lifecycle listener, with the expectation
>>> of an underlying OpenSSL implementation that can be set to FIPS
>>> enabled mode. Ref:
>>> https://tomcat.apache.org/tomcat-9.0-doc/config/listeners.html
>>>
>>> Is it possible to be FIPS compliant with the usage of Tomcat, without
>>> the above setting? We were thinking of using BouncyCastle FIPS as the
>>> underlying Java crypto provider instead of OpenSSL for multiple
>>> reasons.
>>>
>>> Are there any other dependencies Tomcat has on the underlying stack,
>>> besides that provided by a Java crypto provider like BC-FIPS, having a
>>> bearing on FIPS compliance?
>>>
>>> Please advise, as this is urgent for a FIPS compliance decision.
>>>
>>
>> Please check the README of this project -
>> https://github.com/amitlpande/tomcat-9-fips
>> Amit Pande recently shared it here at users@.
>>
>> Regards,
>> Martin
>>
>>
>>>
>>> Thanks,
>>> Avik Ray
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [hidden email]
>>> For additional commands, e-mail: [hidden email]
>>>
>>>
>>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

Amit Pande
Avik,

Did you happen to try out the steps in README https://github.com/amitlpande/tomcat-9-fips here? I am looking for feedback from the community before I could add these steps (and some more) on Tomcat Security FAQ page. So, really appreciate your (and others') feedback.

The steps above rely purely on JSSE and JCA/JCE providers, no OpenSSL use.

These steps will enable a plain vanilla Tomcat to run in FIPS compliant mode. And as Chris mentioned below, we need to ensure any web app deployed within the Tomcat use FIPS compliant constructs.

Thanks,
Amit

-----Original Message-----
From: Christopher Schultz <[hidden email]>
Sent: Friday, November 6, 2020 3:40 PM
To: Tomcat Users List <[hidden email]>; Avik Ray <[hidden email]>
Subject: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

Avik,

On 11/6/20 14:50, Avik Ray wrote:
> Thanks a lot Anil for the detailed readme, and Martin for pointing me to it.
>
> We have done most of these configs. Are these steps sufficient to
> ensure that all incoming and outgoing TLS connections are FIPS compliant?

This isn't something that the Tomcat community can really comment on. If you have a requirement to be FIPS-compliant, then you will need to evaluate whether of not you have met that requirement yourself.

> Or is there also a need to compile an APR connector with an underlying
> implementation of openssl?

You do not NEED to do this, but it is a possibility that will allow you to definitely put the crypto engine into "FIPS mode".

> Is the APR approach just an alternative to the JSSE approach covered
> in Anil's readme, and both hold equally good to be FIPS compliant?

Theoretically, yes.

It's also possible, I believe, to make The Sun/Oracle JSSE provider FIPS compliant. Hmm maybe not: https://stackoverflow.com/a/5047855/276232
(FYI Stephen Colebourne tends to know what he's talking about.) It's a little unclear to me whether or not this is possible, while OpenSSL has very good documentation for how to build a FIPS-compliant binary library and then put it in the right mode.

How FIPS-compliant do you actually need to be? It's pretty trivial to make sure that you support certain algorithms, etc. and that you disable other ones. FIPS, however, technically requires that you enable certain algorithms that really should no longer be used. These days, strict FIPS compliance is IMHO a risk to be avoided.

-chris

> On Fri, 6 Nov, 2020, 12:51 Martin Grigorov, <[hidden email]> wrote:
>
>> Hi,
>>
>> On Fri, Nov 6, 2020 at 8:57 AM Avik Ray <[hidden email]> wrote:
>>
>>> Dear team,
>>> Sending this query again after subscribing to the mailing list. Sent
>>> it originally 3 days back, but just saw an error response in the
>>> spam folder asking to subscribe first.
>>>
>>> We are using Tomcat 9.0.37 x64 on Windows Server 2016 OS and the NIO
>>> connector with JSSE, without an underlying OpenSSL.
>>>
>>> As per Tomcat 9 docs, the only mention of FIPS compliant operation I
>>> see is in the config of APR lifecycle listener, with the expectation
>>> of an underlying OpenSSL implementation that can be set to FIPS
>>> enabled mode. Ref:
>>> https://tomcat.apache.org/tomcat-9.0-doc/config/listeners.html
>>>
>>> Is it possible to be FIPS compliant with the usage of Tomcat,
>>> without the above setting? We were thinking of using BouncyCastle
>>> FIPS as the underlying Java crypto provider instead of OpenSSL for
>>> multiple reasons.
>>>
>>> Are there any other dependencies Tomcat has on the underlying stack,
>>> besides that provided by a Java crypto provider like BC-FIPS, having
>>> a bearing on FIPS compliance?
>>>
>>> Please advise, as this is urgent for a FIPS compliance decision.
>>>
>>
>> Please check the README of this project -
>> https://github.com/amitlpande/tomcat-9-fips
>> Amit Pande recently shared it here at users@.
>>
>> Regards,
>> Martin
>>
>>
>>>
>>> Thanks,
>>> Avik Ray
>>>
>>> --------------------------------------------------------------------
>>> - To unsubscribe, e-mail: [hidden email]
>>> For additional commands, e-mail: [hidden email]
>>>
>>>
>>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

George Stanchev-2
Java's FIPS mode is "expirmental" feature that was removed in later Java versions. It was never certified (AFAIK). To me the only two viable options are via APR+OpenSSL 1.0.1/FIPS and BCFIPS. We have implemented the later and have ran into issues with RSA keys. First the C# BCPROV doesn't support 4096 bit RSA keys (I know weird, but our config app is C# and we use BCFIPS/C# there) but that's OK, you can use Windows CNG or CAPI but of course you have to put the whole Windows in FIPS which is not prarctical all the time. But second, and most important BCFIPS implements stricter FIPS requirement that an RSA key cannot be used for both encipherment and signature and BCFIPS really tracks the usage. This, combined with the fact that Tomcat (8.5.someting about an year ago) doesn't really support multiple keys for SSL that can be dynamically selected really leaves you with only DSA key. Now, BC does support a system property to disable this FIPS requirement but now you are not FIPS compliant, strictly speaking. Which, as FIPS-compliancy goes, might or might not be a problem as it is really a self-reporting. Also, no way to get PKCS12 keystores in FIPS mode so you're stuck with BCKFS or PEMs.

George

-----Original Message-----
From: Amit Pande <[hidden email]>
Sent: Tuesday, November 24, 2020 9:31 AM
To: Tomcat Users List <[hidden email]>; Avik Ray <[hidden email]>
Subject: RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

Avik,

Did you happen to try out the steps in README https://github.com/amitlpande/tomcat-9-fips here? I am looking for feedback from the community before I could add these steps (and some more) on Tomcat Security FAQ page. So, really appreciate your (and others') feedback.

The steps above rely purely on JSSE and JCA/JCE providers, no OpenSSL use.

These steps will enable a plain vanilla Tomcat to run in FIPS compliant mode. And as Chris mentioned below, we need to ensure any web app deployed within the Tomcat use FIPS compliant constructs.

Thanks,
Amit

-----Original Message-----
From: Christopher Schultz <[hidden email]>
Sent: Friday, November 6, 2020 3:40 PM
To: Tomcat Users List <[hidden email]>; Avik Ray <[hidden email]>
Subject: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

Avik,

On 11/6/20 14:50, Avik Ray wrote:
> Thanks a lot Anil for the detailed readme, and Martin for pointing me to it.
>
> We have done most of these configs. Are these steps sufficient to
> ensure that all incoming and outgoing TLS connections are FIPS compliant?

This isn't something that the Tomcat community can really comment on. If you have a requirement to be FIPS-compliant, then you will need to evaluate whether of not you have met that requirement yourself.

> Or is there also a need to compile an APR connector with an underlying
> implementation of openssl?

You do not NEED to do this, but it is a possibility that will allow you to definitely put the crypto engine into "FIPS mode".

> Is the APR approach just an alternative to the JSSE approach covered
> in Anil's readme, and both hold equally good to be FIPS compliant?

Theoretically, yes.

It's also possible, I believe, to make The Sun/Oracle JSSE provider FIPS compliant. Hmm maybe not: https://stackoverflow.com/a/5047855/276232
(FYI Stephen Colebourne tends to know what he's talking about.) It's a little unclear to me whether or not this is possible, while OpenSSL has very good documentation for how to build a FIPS-compliant binary library and then put it in the right mode.

How FIPS-compliant do you actually need to be? It's pretty trivial to make sure that you support certain algorithms, etc. and that you disable other ones. FIPS, however, technically requires that you enable certain algorithms that really should no longer be used. These days, strict FIPS compliance is IMHO a risk to be avoided.

-chris

> On Fri, 6 Nov, 2020, 12:51 Martin Grigorov, <[hidden email]> wrote:
>
>> Hi,
>>
>> On Fri, Nov 6, 2020 at 8:57 AM Avik Ray <[hidden email]> wrote:
>>
>>> Dear team,
>>> Sending this query again after subscribing to the mailing list. Sent
>>> it originally 3 days back, but just saw an error response in the
>>> spam folder asking to subscribe first.
>>>
>>> We are using Tomcat 9.0.37 x64 on Windows Server 2016 OS and the NIO
>>> connector with JSSE, without an underlying OpenSSL.
>>>
>>> As per Tomcat 9 docs, the only mention of FIPS compliant operation I
>>> see is in the config of APR lifecycle listener, with the expectation
>>> of an underlying OpenSSL implementation that can be set to FIPS
>>> enabled mode. Ref:
>>> https://tomcat.apache.org/tomcat-9.0-doc/config/listeners.html
>>>
>>> Is it possible to be FIPS compliant with the usage of Tomcat,
>>> without the above setting? We were thinking of using BouncyCastle
>>> FIPS as the underlying Java crypto provider instead of OpenSSL for
>>> multiple reasons.
>>>
>>> Are there any other dependencies Tomcat has on the underlying stack,
>>> besides that provided by a Java crypto provider like BC-FIPS, having
>>> a bearing on FIPS compliance?
>>>
>>> Please advise, as this is urgent for a FIPS compliance decision.
>>>
>>
>> Please check the README of this project -
>> https://github.com/amitlpande/tomcat-9-fips
>> Amit Pande recently shared it here at users@.
>>
>> Regards,
>> Martin
>>
>>
>>>
>>> Thanks,
>>> Avik Ray
>>>
>>> --------------------------------------------------------------------
>>> - To unsubscribe, e-mail: [hidden email]
>>> For additional commands, e-mail: [hidden email]
>>>
>>>
>>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB  [  X  ܚX KK[XZ[
 \ \  ][  X  ܚX P X ]
 \X K ܙ B  ܈Y][ۘ[  [X[  K[XZ[
 \ \  Z[ X ]
 \X K ܙ B

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

George Stanchev-2
In reply to this post by Amit Pande
You can add this to your guide and perhaps a little explanation:

Add this to your JAVA_OPTS: -Dorg.bouncycastle.rsa.allow_multi_use=true

Otherwise you're doomed to run into weird random and failures depending on what cipher suite your browser and server agree on which believe me, combined with the BCFIPS's atrocious logging levels can be quite hard to troubleshoot. But if you enable that...well technically you break out of FIPS compliance. The other option is to remove all RSA-based suites from your server's list so you don't run into the issue or always run with DSA keys

George


-----Original Message-----
From: George Stanchev
Sent: Thursday, December 03, 2020 7:59 PM
To: Tomcat Users List <[hidden email]>; Avik Ray <[hidden email]>
Subject: RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

Java's FIPS mode is "expirmental" feature that was removed in later Java versions. It was never certified (AFAIK). To me the only two viable options are via APR+OpenSSL 1.0.1/FIPS and BCFIPS. We have implemented the later and have ran into issues with RSA keys. First the C# BCPROV doesn't support 4096 bit RSA keys (I know weird, but our config app is C# and we use BCFIPS/C# there) but that's OK, you can use Windows CNG or CAPI but of course you have to put the whole Windows in FIPS which is not prarctical all the time. But second, and most important BCFIPS implements stricter FIPS requirement that an RSA key cannot be used for both encipherment and signature and BCFIPS really tracks the usage. This, combined with the fact that Tomcat (8.5.someting about an year ago) doesn't really support multiple keys for SSL that can be dynamically selected really leaves you with only DSA key. Now, BC does support a system property to disable this FIPS requirement but now you are not FIPS compliant, strictly speaking. Which, as FIPS-compliancy goes, might or might not be a problem as it is really a self-reporting. Also, no way to get PKCS12 keystores in FIPS mode so you're stuck with BCKFS or PEMs.

George

-----Original Message-----
From: Amit Pande <[hidden email]>
Sent: Tuesday, November 24, 2020 9:31 AM
To: Tomcat Users List <[hidden email]>; Avik Ray <[hidden email]>
Subject: RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

Avik,

Did you happen to try out the steps in README https://github.com/amitlpande/tomcat-9-fips here? I am looking for feedback from the community before I could add these steps (and some more) on Tomcat Security FAQ page. So, really appreciate your (and others') feedback.

The steps above rely purely on JSSE and JCA/JCE providers, no OpenSSL use.

These steps will enable a plain vanilla Tomcat to run in FIPS compliant mode. And as Chris mentioned below, we need to ensure any web app deployed within the Tomcat use FIPS compliant constructs.

Thanks,
Amit

-----Original Message-----
From: Christopher Schultz <[hidden email]>
Sent: Friday, November 6, 2020 3:40 PM
To: Tomcat Users List <[hidden email]>; Avik Ray <[hidden email]>
Subject: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

Avik,

On 11/6/20 14:50, Avik Ray wrote:
> Thanks a lot Anil for the detailed readme, and Martin for pointing me to it.
>
> We have done most of these configs. Are these steps sufficient to
> ensure that all incoming and outgoing TLS connections are FIPS compliant?

This isn't something that the Tomcat community can really comment on. If you have a requirement to be FIPS-compliant, then you will need to evaluate whether of not you have met that requirement yourself.

> Or is there also a need to compile an APR connector with an underlying
> implementation of openssl?

You do not NEED to do this, but it is a possibility that will allow you to definitely put the crypto engine into "FIPS mode".

> Is the APR approach just an alternative to the JSSE approach covered
> in Anil's readme, and both hold equally good to be FIPS compliant?

Theoretically, yes.

It's also possible, I believe, to make The Sun/Oracle JSSE provider FIPS compliant. Hmm maybe not: https://stackoverflow.com/a/5047855/276232
(FYI Stephen Colebourne tends to know what he's talking about.) It's a little unclear to me whether or not this is possible, while OpenSSL has very good documentation for how to build a FIPS-compliant binary library and then put it in the right mode.

How FIPS-compliant do you actually need to be? It's pretty trivial to make sure that you support certain algorithms, etc. and that you disable other ones. FIPS, however, technically requires that you enable certain algorithms that really should no longer be used. These days, strict FIPS compliance is IMHO a risk to be avoided.

-chris

> On Fri, 6 Nov, 2020, 12:51 Martin Grigorov, <[hidden email]> wrote:
>
>> Hi,
>>
>> On Fri, Nov 6, 2020 at 8:57 AM Avik Ray <[hidden email]> wrote:
>>
>>> Dear team,
>>> Sending this query again after subscribing to the mailing list. Sent
>>> it originally 3 days back, but just saw an error response in the
>>> spam folder asking to subscribe first.
>>>
>>> We are using Tomcat 9.0.37 x64 on Windows Server 2016 OS and the NIO
>>> connector with JSSE, without an underlying OpenSSL.
>>>
>>> As per Tomcat 9 docs, the only mention of FIPS compliant operation I
>>> see is in the config of APR lifecycle listener, with the expectation
>>> of an underlying OpenSSL implementation that can be set to FIPS
>>> enabled mode. Ref:
>>> https://tomcat.apache.org/tomcat-9.0-doc/config/listeners.html
>>>
>>> Is it possible to be FIPS compliant with the usage of Tomcat,
>>> without the above setting? We were thinking of using BouncyCastle
>>> FIPS as the underlying Java crypto provider instead of OpenSSL for
>>> multiple reasons.
>>>
>>> Are there any other dependencies Tomcat has on the underlying stack,
>>> besides that provided by a Java crypto provider like BC-FIPS, having
>>> a bearing on FIPS compliance?
>>>
>>> Please advise, as this is urgent for a FIPS compliance decision.
>>>
>>
>> Please check the README of this project -
>> https://github.com/amitlpande/tomcat-9-fips
>> Amit Pande recently shared it here at users@.
>>
>> Regards,
>> Martin
>>
>>
>>>
>>> Thanks,
>>> Avik Ray
>>>
>>> --------------------------------------------------------------------
>>> - To unsubscribe, e-mail: [hidden email]
>>> For additional commands, e-mail: [hidden email]
>>>
>>>
>>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB  [  X  ܚX KK[XZ[  \ \  ][  X  ܚX P X ]  \X K ܙ B  ܈Y][ۘ[  [X[  K[XZ[  \ \  Z[ X ]  \X K ܙ B

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

George Stanchev-2
You can add this to your guide and perhaps a little explanation:

Add this to your JAVA_OPTS: -Dorg.bouncycastle.rsa.allow_multi_use=true

Otherwise you're doomed to run into weird random and failures depending on what cipher suite your browser and server agree on which believe me, combined with the BCFIPS's atrocious logging levels can be quite hard to troubleshoot. But if you enable that...well technically you break out of FIPS compliance. The other option is to remove all RSA-based suites from your server's list so you don't run into the issue or always run with DSA keys

George


-----Original Message-----
From: George Stanchev
Sent: Thursday, December 03, 2020 7:59 PM
To: Tomcat Users List <[hidden email]>; Avik Ray <[hidden email]>
Subject: RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

Java's FIPS mode is "expirmental" feature that was removed in later Java versions. It was never certified (AFAIK). To me the only two viable options are via APR+OpenSSL 1.0.1/FIPS and BCFIPS. We have implemented the later and have ran into issues with RSA keys. First the C# BCPROV doesn't support 4096 bit RSA keys (I know weird, but our config app is C# and we use BCFIPS/C# there) but that's OK, you can use Windows CNG or CAPI but of course you have to put the whole Windows in FIPS which is not prarctical all the time. But second, and most important BCFIPS implements stricter FIPS requirement that an RSA key cannot be used for both encipherment and signature and BCFIPS really tracks the usage. This, combined with the fact that Tomcat (8.5.someting about an year ago) doesn't really support multiple keys for SSL that can be dynamically selected really leaves you with only DSA key. Now, BC does support a system property to disable this FIPS requirement but now you are not FIPS compliant, strictly speaking. Which, as FIPS-compliancy goes, might or might not be a problem as it is really a self-reporting. Also, no way to get PKCS12 keystores in FIPS mode so you're stuck with BCKFS or PEMs.

George

-----Original Message-----
From: Amit Pande <[hidden email]>
Sent: Tuesday, November 24, 2020 9:31 AM
To: Tomcat Users List <[hidden email]>; Avik Ray <[hidden email]>
Subject: RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

Avik,

Did you happen to try out the steps in README https://github.com/amitlpande/tomcat-9-fips here? I am looking for feedback from the community before I could add these steps (and some more) on Tomcat Security FAQ page. So, really appreciate your (and others') feedback.

The steps above rely purely on JSSE and JCA/JCE providers, no OpenSSL use.

These steps will enable a plain vanilla Tomcat to run in FIPS compliant mode. And as Chris mentioned below, we need to ensure any web app deployed within the Tomcat use FIPS compliant constructs.

Thanks,
Amit

-----Original Message-----
From: Christopher Schultz <[hidden email]>
Sent: Friday, November 6, 2020 3:40 PM
To: Tomcat Users List <[hidden email]>; Avik Ray <[hidden email]>
Subject: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

Avik,

On 11/6/20 14:50, Avik Ray wrote:
> Thanks a lot Anil for the detailed readme, and Martin for pointing me to it.
>
> We have done most of these configs. Are these steps sufficient to
> ensure that all incoming and outgoing TLS connections are FIPS compliant?

This isn't something that the Tomcat community can really comment on. If you have a requirement to be FIPS-compliant, then you will need to evaluate whether of not you have met that requirement yourself.

> Or is there also a need to compile an APR connector with an underlying
> implementation of openssl?

You do not NEED to do this, but it is a possibility that will allow you to definitely put the crypto engine into "FIPS mode".

> Is the APR approach just an alternative to the JSSE approach covered
> in Anil's readme, and both hold equally good to be FIPS compliant?

Theoretically, yes.

It's also possible, I believe, to make The Sun/Oracle JSSE provider FIPS compliant. Hmm maybe not: https://stackoverflow.com/a/5047855/276232
(FYI Stephen Colebourne tends to know what he's talking about.) It's a little unclear to me whether or not this is possible, while OpenSSL has very good documentation for how to build a FIPS-compliant binary library and then put it in the right mode.

How FIPS-compliant do you actually need to be? It's pretty trivial to make sure that you support certain algorithms, etc. and that you disable other ones. FIPS, however, technically requires that you enable certain algorithms that really should no longer be used. These days, strict FIPS compliance is IMHO a risk to be avoided.

-chris

> On Fri, 6 Nov, 2020, 12:51 Martin Grigorov, <[hidden email]> wrote:
>
>> Hi,
>>
>> On Fri, Nov 6, 2020 at 8:57 AM Avik Ray <[hidden email]> wrote:
>>
>>> Dear team,
>>> Sending this query again after subscribing to the mailing list. Sent
>>> it originally 3 days back, but just saw an error response in the
>>> spam folder asking to subscribe first.
>>>
>>> We are using Tomcat 9.0.37 x64 on Windows Server 2016 OS and the NIO
>>> connector with JSSE, without an underlying OpenSSL.
>>>
>>> As per Tomcat 9 docs, the only mention of FIPS compliant operation I
>>> see is in the config of APR lifecycle listener, with the expectation
>>> of an underlying OpenSSL implementation that can be set to FIPS
>>> enabled mode. Ref:
>>> https://tomcat.apache.org/tomcat-9.0-doc/config/listeners.html
>>>
>>> Is it possible to be FIPS compliant with the usage of Tomcat,
>>> without the above setting? We were thinking of using BouncyCastle
>>> FIPS as the underlying Java crypto provider instead of OpenSSL for
>>> multiple reasons.
>>>
>>> Are there any other dependencies Tomcat has on the underlying stack,
>>> besides that provided by a Java crypto provider like BC-FIPS, having
>>> a bearing on FIPS compliance?
>>>
>>> Please advise, as this is urgent for a FIPS compliance decision.
>>>
>>
>> Please check the README of this project -
>> https://github.com/amitlpande/tomcat-9-fips
>> Amit Pande recently shared it here at users@.
>>
>> Regards,
>> Martin
>>
>>
>>>
>>> Thanks,
>>> Avik Ray
>>>
>>> --------------------------------------------------------------------
>>> - To unsubscribe, e-mail: [hidden email]
>>> For additional commands, e-mail: [hidden email]
>>>
>>>
>>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB  [  X  ܚX KK[XZ[  \ \  ][  X  ܚX P X ]  \X K ܙ B  ܈Y][ۘ[  [X[  K[XZ[  \ \  Z[ X ]  \X K ܙ B

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

Christopher Schultz-2
In reply to this post by George Stanchev-2
George,

On 12/3/20 21:59, George Stanchev wrote:
> Java's FIPS mode is "expirmental" feature that was removed in later
> Java versions. It was never certified (AFAIK).
I've always found conflicting information about whether or not Java's
crypto module was FIPS-certified or not. Sun/Oracle have documentation
which suggests that, at least under some configurations, it IS
certified, but there is precious little information about it.

I suspect you can pay Oracle to give you the magic that makes it
certified. I've never cared enough about it to actually try to find it
out. I find FIPS to be a useless requirement that doesn't add any
security beyond what usual best-practices would give you.

But I don't do work in intelligence or military applications, so I'm
allowed to thumb my nose at such things.

> To me the only two viable options are via APR+OpenSSL 1.0.1/FIPS and BCFIPS.

NIO+JSSE/OpenSSL ought to be okay, theoretically. The
"AprLifecycleListener" is a misnomer; it really should be the
"TcnativeLivecycleListener". You can use it to configure OpenSSL into
FIPS mode and still use NIO+OpenSSL as your connector.

> We have implemented the later and have ran into issues with RSA keys.
> First the C# BCPROV doesn't support 4096 bit RSA keys
What? It's like the most popular configuration in the world right now.

> (I know weird, but our config app is C# and we use BCFIPS/C# there)
> but that's OK, you can use Windows CNG or CAPI but of course you have
> to put the whole Windows in FIPS which is not prarctical all the
> time. >
 >
> But second, and most important BCFIPS implements stricter FIPS
> requirement that an RSA key cannot be used for both encipherment and
> signature and BCFIPS really tracks the usage.
That's appropriate, actually. What's the problem, there?

> This, combined with the fact that Tomcat (8.5.someting about an year
> ago) doesn't really support multiple keys for SSL that can be
> dynamically selected really leaves you with only DSA key.
I'm curious what version that is, because Tomcat will definitely select
the appropriate certificate from a set of RSA/DSA/ECDSA-based certs.

> Now, BC does support a system property to disable this FIPS
> requirement but now you are not FIPS compliant, strictly speaking.
Well... FIPS is all about strictness. You can certainly use the OpenSSL
FIPS module without entering FIPS mode, but, well, then you aren't
actually using the FIPS module, then, are you.

"
Man: We have the most sophisticated door-locks money can buy!
Woman: Who has access to the keys?
Man: It's super secure! Nobody has access to the the keys because we
never engage the locks!
"

> Which, as FIPS-compliancy goes, might or might not be a problem as it
> is really a self-reporting. Also, no way to get PKCS12 keystores in
> FIPS mode so you're stuck with BCKFS or PEMs.
I didn't realize tat PKCS12 doesn't work in FIPS mode. Why not?

Thanks,
-chris

> -----Original Message-----
> From: Amit Pande <[hidden email]>
> Sent: Tuesday, November 24, 2020 9:31 AM
> To: Tomcat Users List <[hidden email]>; Avik Ray <[hidden email]>
> Subject: RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?
>
> Avik,
>
> Did you happen to try out the steps in README https://github.com/amitlpande/tomcat-9-fips here? I am looking for feedback from the community before I could add these steps (and some more) on Tomcat Security FAQ page. So, really appreciate your (and others') feedback.
>
> The steps above rely purely on JSSE and JCA/JCE providers, no OpenSSL use.
>
> These steps will enable a plain vanilla Tomcat to run in FIPS compliant mode. And as Chris mentioned below, we need to ensure any web app deployed within the Tomcat use FIPS compliant constructs.
>
> Thanks,
> Amit
>
> -----Original Message-----
> From: Christopher Schultz <[hidden email]>
> Sent: Friday, November 6, 2020 3:40 PM
> To: Tomcat Users List <[hidden email]>; Avik Ray <[hidden email]>
> Subject: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?
>
> Avik,
>
> On 11/6/20 14:50, Avik Ray wrote:
>> Thanks a lot Anil for the detailed readme, and Martin for pointing me to it.
>>
>> We have done most of these configs. Are these steps sufficient to
>> ensure that all incoming and outgoing TLS connections are FIPS compliant?
>
> This isn't something that the Tomcat community can really comment on. If you have a requirement to be FIPS-compliant, then you will need to evaluate whether of not you have met that requirement yourself.
>
>> Or is there also a need to compile an APR connector with an underlying
>> implementation of openssl?
>
> You do not NEED to do this, but it is a possibility that will allow you to definitely put the crypto engine into "FIPS mode".
>
>> Is the APR approach just an alternative to the JSSE approach covered
>> in Anil's readme, and both hold equally good to be FIPS compliant?
>
> Theoretically, yes.
>
> It's also possible, I believe, to make The Sun/Oracle JSSE provider FIPS compliant. Hmm maybe not: https://stackoverflow.com/a/5047855/276232
> (FYI Stephen Colebourne tends to know what he's talking about.) It's a little unclear to me whether or not this is possible, while OpenSSL has very good documentation for how to build a FIPS-compliant binary library and then put it in the right mode.
>
> How FIPS-compliant do you actually need to be? It's pretty trivial to make sure that you support certain algorithms, etc. and that you disable other ones. FIPS, however, technically requires that you enable certain algorithms that really should no longer be used. These days, strict FIPS compliance is IMHO a risk to be avoided.
>
> -chris
>
>> On Fri, 6 Nov, 2020, 12:51 Martin Grigorov, <[hidden email]> wrote:
>>
>>> Hi,
>>>
>>> On Fri, Nov 6, 2020 at 8:57 AM Avik Ray <[hidden email]> wrote:
>>>
>>>> Dear team,
>>>> Sending this query again after subscribing to the mailing list. Sent
>>>> it originally 3 days back, but just saw an error response in the
>>>> spam folder asking to subscribe first.
>>>>
>>>> We are using Tomcat 9.0.37 x64 on Windows Server 2016 OS and the NIO
>>>> connector with JSSE, without an underlying OpenSSL.
>>>>
>>>> As per Tomcat 9 docs, the only mention of FIPS compliant operation I
>>>> see is in the config of APR lifecycle listener, with the expectation
>>>> of an underlying OpenSSL implementation that can be set to FIPS
>>>> enabled mode. Ref:
>>>> https://tomcat.apache.org/tomcat-9.0-doc/config/listeners.html
>>>>
>>>> Is it possible to be FIPS compliant with the usage of Tomcat,
>>>> without the above setting? We were thinking of using BouncyCastle
>>>> FIPS as the underlying Java crypto provider instead of OpenSSL for
>>>> multiple reasons.
>>>>
>>>> Are there any other dependencies Tomcat has on the underlying stack,
>>>> besides that provided by a Java crypto provider like BC-FIPS, having
>>>> a bearing on FIPS compliance?
>>>>
>>>> Please advise, as this is urgent for a FIPS compliance decision.
>>>>
>>>
>>> Please check the README of this project -
>>> https://github.com/amitlpande/tomcat-9-fips
>>> Amit Pande recently shared it here at users@.
>>>
>>> Regards,
>>> Martin
>>>
>>>
>>>>
>>>> Thanks,
>>>> Avik Ray
>>>>
>>>> --------------------------------------------------------------------
>>>> - To unsubscribe, e-mail: [hidden email]
>>>> For additional commands, e-mail: [hidden email]
>>>>
>>>>
>>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
> B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB  [  X  ܚX KK[XZ[
>   \ \  ][  X  ܚX P X ]
>   \X K ܙ B  ܈Y][ۘ[  [X[  K[XZ[
>   \ \  Z[ X ]
>   \X K ܙ B
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

George Stanchev-2


-----Original Message-----
From: Christopher Schultz <[hidden email]>
Sent: Friday, December 04, 2020 10:58 AM
To: [hidden email]
Subject: Re: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

George,

On 12/3/20 21:59, George Stanchev wrote:
> Java's FIPS mode is "expirmental" feature that was removed in later
> Java versions. It was never certified (AFAIK).
I've always found conflicting information about whether or not Java's crypto module was FIPS-certified or not. Sun/Oracle have documentation which suggests that, at least under some configurations, it IS certified, but there is precious little information about it.

I suspect you can pay Oracle to give you the magic that makes it certified. I've never cared enough about it to actually try to find it out. I find FIPS to be a useless requirement that doesn't add any security beyond what usual best-practices would give you.

But I don't do work in intelligence or military applications, so I'm allowed to thumb my nose at such things.


GS: IBM's JCE is FIPS-certified but not Oracle's. Also, we should make a distinction between "certified" and "compliant". Certification is obtained by a long and laborious process by NIST. Compliancy is mainly self reporting. Look here https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8217911 for Oracle removing the "compliant" mode in Java 13. If you read through the task, you will see it states "Legacy applications might have used the experimental mode...". Me and you can have our opinions about FIPS, but the reality is that if you want to sell to government entities (and even some commercial entities) you really need FIPS support in your product. With the pluggability of Java's crypto interface, I seriously doubt Oracle is going to certify a JCE module in the future, esp. with free 3rd party solutions such as BCFIPS.



> To me the only two viable options are via APR+OpenSSL 1.0.1/FIPS and BCFIPS.

NIO+JSSE/OpenSSL ought to be okay, theoretically. The
"AprLifecycleListener" is a misnomer; it really should be the "TcnativeLivecycleListener". You can use it to configure OpenSSL into FIPS mode and still use NIO+OpenSSL as your connector.

GS: You are right, I might have misspoken by saying "APR". What I really meant is you need to have OpenSSL as in tcnative. The problem I faced back in the days was that the prebuilt binaries come with regular, non-FIPS OpenSSL and despite my long efforts I was never able to build it successfully and fully on Windows x64. I found it non-trivial and the toolsets to be very specific, and even after following all instructions from several wikis and web pages I kept running into issues resulting in overall failure.  Also, keep in mind that OpenSSL 1.0.1 is EOLed and the FIPS module is only available for that version line. OpenSSL still produces security fixes to paid support subscribers (we are) but they are not available for the general public. OpenSSL 3.0 will have a refreshed re-certified FIPS module but it is not due until later next year, so for now general public is left hanging with the last public version of 1.0.1+FIPS.

> We have implemented the later and have ran into issues with RSA keys.
> First the C# BCPROV doesn't support 4096 bit RSA keys
What? It's like the most popular configuration in the world right now.

I know you can read more about it here: https://github.com/bcgit/bc-java/issues/616

> (I know weird, but our config app is C# and we use BCFIPS/C# there)
> but that's OK, you can use Windows CNG or CAPI but of course you have
> to put the whole Windows in FIPS which is not prarctical all the time.
> >
 >
> But second, and most important BCFIPS implements stricter FIPS
> requirement that an RSA key cannot be used for both encipherment and
> signature and BCFIPS really tracks the usage.

That's appropriate, actually. What's the problem, there?

GS: See my next comment with a link to technical explanation

> This, combined with the fact that Tomcat (8.5.someting about an year
> ago) doesn't really support multiple keys for SSL that can be
> dynamically selected really leaves you with only DSA key.

I'm curious what version that is, because Tomcat will definitely select the appropriate certificate from a set of RSA/DSA/ECDSA-based certs.

GS: http://mail-archives.apache.org/mod_mbox/tomcat-users/201911.mbox/%3Caa01aac6-fa82-a100-3d37-26b3521cb971@...%3E
GS: I never had a time to formalize the patch, to submit a BZ and attach it, which is a shame. I should perhaps do this....


> Now, BC does support a system property to disable this FIPS
> requirement but now you are not FIPS compliant, strictly speaking.
Well... FIPS is all about strictness. You can certainly use the OpenSSL FIPS module without entering FIPS mode, but, well, then you aren't actually using the FIPS module, then, are you.

"
Man: We have the most sophisticated door-locks money can buy!
Woman: Who has access to the keys?
Man: It's super secure! Nobody has access to the the keys because we
never engage the locks!
"

GS: As I said, "compliancy" is really about self-reporting. You could do whatever you want and say you're FIPS compliant but then, once you sell to the US government, you sign bunch of forms that make you liable. Nobody is requesting you open your source but things can and will surface and then you lose business, you lose credibility and perhaps can be held liable...That's why you should proceed with caution as I described in my later email...

> Which, as FIPS-compliancy goes, might or might not be a problem as it
> is really a self-reporting. Also, no way to get PKCS12 keystores in
> FIPS mode so you're stuck with BCKFS or PEMs.

I didn't realize tat PKCS12 doesn't work in FIPS mode. Why not?

GS: "Algorithms redtape hell" though there is nothing explicitly prohibiting pkcs12. The main issue is in generation of MAC - the hash that is used to check the password integrity of the file. The hash is computed using a hash algorithm from the list of allowed hash algorithms, and the key that is used to encrypt the hash is derived from the password. The function to derive the key is unique to the standard and described in Appendix B of the PKCS12 spec . This function is not FIPS compliant and cannot be in approved mode. The workaround could be to use a different password based key derivation function - PBKDF2. However, there is nothing in the PKCS12 spec that allows to encode another algorithm OID in MacData. In essence, you cannot use any other algorithm other than the one defined in spec which is not FIPS compliant. Another workaround could be to omit the MAC altogether when generating a file, however this results in libraries that try to parse such files (Windows, BC). Supported only for OpenSS (to my knowledge) but...you get the idea...

George

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

Christopher Schultz-2
George,

On 12/4/20 14:22, George Stanchev wrote:

> -----Original Message-----
> From: Christopher Schultz <[hidden email]>
> Sent: Friday, December 04, 2020 10:58 AM
> To: [hidden email]
> Subject: Re: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?
>
> George,
>
> On 12/3/20 21:59, George Stanchev wrote:
>> Java's FIPS mode is "expirmental" feature that was removed in later
>> Java versions. It was never certified (AFAIK).
> I've always found conflicting information about whether or not
> Java's crypto module was FIPS-certified or not. Sun/Oracle have
> documentation which suggests that, at least under some
> configurations, it IS certified, but there is precious little
> information about it.
>
> I suspect you can pay Oracle to give you the magic that makes it
> certified. I've never cared enough about it to actually try to find it
> out. I find FIPS to be a useless requirement that doesn't add any
> security beyond what usual best-practices would give you.
>
> But I don't do work in intelligence or military applications, so I'm
> allowed to thumb my nose at such things.
>
> GS: IBM's JCE is FIPS-certified but not Oracle's. Also, we should
> make a distinction between "certified" and "compliant".
Yes, thanks for pointing that out.

> Certification is obtained by a long and laborious process by NIST.
> Compliancy is mainly self reporting. Look here
> https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8217911 for
> Oracle removing the "compliant" mode in Java 13. If you read through
> the task, you will see it states "Legacy applications might have used
> the experimental mode...". Me and you can have our opinions about
> FIPS, but the reality is that if you want to sell to government
> entities (and even some commercial entities) you really need FIPS
> support in your product.
Sadly, yes.

> With the pluggability of Java's crypto interface, I seriously doubt
> Oracle is going to certify a JCE module in the future, esp. with free
> 3rd party solutions such as BCFIPS.

Is BC actually certified? It seems unlikely to me that a group of
volunteers from Australia are going to bother to go through that
module-certification process.

>> To me the only two viable options are via APR+OpenSSL 1.0.1/FIPS and BCFIPS.
>
> NIO+JSSE/OpenSSL ought to be okay, theoretically. The
> "AprLifecycleListener" is a misnomer; it really should be the
> "TcnativeLivecycleListener". You can use it to configure OpenSSL
> into FIPS mode and still use NIO+OpenSSL as your connector. >
>
 >
> GS: You are right, I might have misspoken by saying "APR". What I
> really meant is you need to have OpenSSL as in tcnative. The problem
> I faced back in the days was that the prebuilt binaries come with
> regular, non-FIPS OpenSSL and despite my long efforts I was never
> able to build it successfully and fully on Windows x64.
Oh. You're on Windows. You're right, that will suck. The binaries
packaged by ASF are definitely not going to be FIPS-certified. You'll
have to build your own and then dynamically-link it to tcnative during
the build.

> I found it non-trivial and the toolsets to be very specific, and even
> after following all instructions from several wikis and web pages I
> kept running into issues resulting in overall failure.
Yes, the build process for OpenSSL is horrible. I have no idea why they
decided to use Perl as their build system. On Windows? I have only tried
to build the OpenSSL binary, not the FIPS-compliant module. Having done
it on Linux (where it's "easy") I can say I'm glad I'm not responsible
for doing it on Windows.

> Also, keep in mind that OpenSSL 1.0.1 is EOLed and the FIPS module
> is only available for that version line. OpenSSL still produces
> security fixes to paid support subscribers (we are) but they are not
> available for the general public. OpenSSL 3.0 will have a refreshed
> re-certified FIPS module but it is not due until later next year, so
> for now general public is left hanging with the last public version
> of 1.0.1+FIPS.

:(

This is why we can't have nice things.

>> We have implemented the later and have ran into issues with RSA keys.
>> First the C# BCPROV doesn't support 4096 bit RSA keys
> What? It's like the most popular configuration in the world right now.
>
> I know you can read more about it here: https://github.com/bcgit/bc-java/issues/616

See... this is why I say that FIPS is sometimes bad: they specifically
disallow large keys. And that's ... more secure? *Sigh*

>> (I know weird, but our config app is C# and we use BCFIPS/C# there)
>> but that's OK, you can use Windows CNG or CAPI but of course you have
>> to put the whole Windows in FIPS which is not prarctical all the time.
>>>
>   >
>> But second, and most important BCFIPS implements stricter FIPS
>> requirement that an RSA key cannot be used for both encipherment and
>> signature and BCFIPS really tracks the usage.
>
> That's appropriate, actually. What's the problem, there?
>
> GS: See my next comment with a link to technical explanation
>
>> This, combined with the fact that Tomcat (8.5.someting about an year
>> ago) doesn't really support multiple keys for SSL that can be
>> dynamically selected really leaves you with only DSA key.
>
> I'm curious what version that is, because Tomcat will definitely
> select the appropriate certificate from a set of RSA/DSA/ECDSA-based
> certs.
>
> GS: http://mail-archives.apache.org/mod_mbox/tomcat-users/201911.mbox/%3Caa01aac6-fa82-a100-3d37-26b3521cb971@...%3E
> GS: I never had a time to formalize the patch, to submit a BZ and
> attach it, which is a shame. I should perhaps do this....
Oh... so it's YOUR fault! :)

>> Now, BC does support a system property to disable this FIPS
>> requirement but now you are not FIPS compliant, strictly speaking.
 >

> Well... FIPS is all about strictness. You can certainly use the
> OpenSSL FIPS module without entering FIPS mode, but, well, then you
> aren't actually using the FIPS module, then, are you.
>
> "
> Man: We have the most sophisticated door-locks money can buy!
> Woman: Who has access to the keys?
> Man: It's super secure! Nobody has access to the the keys because we
> never engage the locks!
> "
>
> GS: As I said, "compliancy" is really about self-reporting. You
> could do whatever you want and say you're FIPS compliant but then,
> once you sell to the US government, you sign bunch of forms that make
> you liable. Nobody is requesting you open your source but things can
> and will surface and then you lose business, you lose credibility and
> perhaps can be held liable...That's why you should proceed with
> caution as I described in my later email...

Of course. I work in healthcare in the US and sometimes people ask us
about FIPS. I give them my opinion and then tell them "we always try to
do better than FIPS" referencing the industry-wide deprecation of
certain cryptographic algorithms, etc. which FIPS says you *must*
support (and no high-bit RSA keys ffs!). There are no regulations which
require us to operate in FIPS mode, so I always tell them that we can
provide FIPS compliance if they are willing to pay a huge sum for us to
guarantee it. I haven't ever had client take me up on that offer.

>> Which, as FIPS-compliancy goes, might or might not be a problem as it
>> is really a self-reporting. Also, no way to get PKCS12 keystores in
>> FIPS mode so you're stuck with BCKFS or PEMs.
>
> I didn't realize tat PKCS12 doesn't work in FIPS mode. Why not?
>
> GS: "Algorithms redtape hell" though there is nothing explicitly
> prohibiting pkcs12. The main issue is in generation of MAC - the hash
> that is used to check the password integrity of the file. The hash is
> computed using a hash algorithm from the list of allowed hash
> algorithms, and the key that is used to encrypt the hash is derived
> from the password. The function to derive the key is unique to the
> standard and described in Appendix B of the PKCS12 spec . This
> function is not FIPS compliant and cannot be in approved mode.
Of course not. Do they know that credit card numbers still have a
check-digit which uses the Luhn algorithm? I'll bet *that's* not
approved for use in FIPS and yet, here we are processing credit card
transactions billions of times per day.

> The workaround could be to use a different password based key
> derivation function - PBKDF2. However, there is nothing in the PKCS12
> spec that allows to encode another algorithm OID in MacData. In essence,
> you cannot use any other algorithm other than the one defined in spec
> which is not FIPS compliant.

And something which is ironically FIPS-compliant is to use a PEM file
with no protection whatsoever.

> Another workaround could be to omit the MAC altogether when
> generating a file, however this results in libraries that try to parse
> such files (Windows, BC). Supported only for OpenSS (to my knowledge)
> but...you get the idea...

It's too bad this stuff can't get updated more frequently. :/

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

George Stanchev-2
Chris

-----Original Message-----
From: Christopher Schultz <[hidden email]>
Sent: Friday, December 04, 2020 1:20 PM
To: [hidden email]
Subject: Re: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

<snip>

> With the pluggability of Java's crypto interface, I seriously doubt
> Oracle is going to certify a JCE module in the future, esp. with free
> 3rd party solutions such as BCFIPS.

Is BC actually certified? It seems unlikely to me that a group of volunteers from Australia are going to bother to go through that module-certification process.

GS: While the project is open sourced they had a company (Crypto Workshop) that earned a living through paid support and consulting. They were recently acquired (https://www.prnewswire.com/news-releases/primekey-acquires-crypto-workshop-300988188.html). And yes they are certified (https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/2768) and currently working on the next certification, expected out next year.

<snip>


> I found it non-trivial and the toolsets to be very specific, and even
> after following all instructions from several wikis and web pages I
> kept running into issues resulting in overall failure.

Yes, the build process for OpenSSL is horrible. I have no idea why they decided to use Perl as their build system. On Windows? I have only tried to build the OpenSSL binary, not the FIPS-compliant module. Having done it on Linux (where it's "easy") I can say I'm glad I'm not responsible for doing it on Windows.

GS: Sadly, OpenSSL and the FIPS module built just fine. I forgot the details but it was the ARP or the tcnative itself that failed me. There is also a bug in OpenSSL or tomcat's glue code that if cacerts contain more than a certain number of certificates to fail the handshake with timeout (http://tomcat.10.x6.nabble.com/Client-Cert-TLS-issue-td5090609.html)

> Also, keep in mind that OpenSSL 1.0.1 is EOLed and the FIPS module is
> only available for that version line. OpenSSL still produces security
> fixes to paid support subscribers (we are) but they are not available
> for the general public. OpenSSL 3.0 will have a refreshed re-certified
> FIPS module but it is not due until later next year, so for now
> general public is left hanging with the last public version of
> 1.0.1+FIPS.

:(

This is why we can't have nice things.

<snap>

> The workaround could be to use a different password based key
> derivation function - PBKDF2. However, there is nothing in the PKCS12
> spec that allows to encode another algorithm OID in MacData. In
> essence, you cannot use any other algorithm other than the one defined
> in spec which is not FIPS compliant.

And something which is ironically FIPS-compliant is to use a PEM file with no protection whatsoever.

GS: Well, the keys in the PEM files are still encrypted but you're right no protection of the overall container like in BCFKS or PKCS12

George


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

Amit Pande
Thank you George for letting us know on -Dorg.bouncycastle.rsa.allow_multi_use=true" JVM option. Will explore this further and update the document (https://github.com/amitlpande/tomcat-9-fips/blob/master/README.md) appropriately.

Albeit reluctantly, we have given in to use BCFIPS (over PKCS12) for our key stores as it is the only format meeting our FIPS requirements.

Thanks,
Amit

-----Original Message-----
From: George Stanchev <[hidden email]>
Sent: Saturday, December 5, 2020 11:17 AM
To: Tomcat Users List <[hidden email]>
Subject: RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

Chris

-----Original Message-----
From: Christopher Schultz <[hidden email]>
Sent: Friday, December 04, 2020 1:20 PM
To: [hidden email]
Subject: Re: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

<snip>

> With the pluggability of Java's crypto interface, I seriously doubt
> Oracle is going to certify a JCE module in the future, esp. with free
> 3rd party solutions such as BCFIPS.

Is BC actually certified? It seems unlikely to me that a group of volunteers from Australia are going to bother to go through that module-certification process.

GS: While the project is open sourced they had a company (Crypto Workshop) that earned a living through paid support and consulting. They were recently acquired (https://www.prnewswire.com/news-releases/primekey-acquires-crypto-workshop-300988188.html). And yes they are certified (https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/2768) and currently working on the next certification, expected out next year.

<snip>


> I found it non-trivial and the toolsets to be very specific, and even
> after following all instructions from several wikis and web pages I
> kept running into issues resulting in overall failure.

Yes, the build process for OpenSSL is horrible. I have no idea why they decided to use Perl as their build system. On Windows? I have only tried to build the OpenSSL binary, not the FIPS-compliant module. Having done it on Linux (where it's "easy") I can say I'm glad I'm not responsible for doing it on Windows.

GS: Sadly, OpenSSL and the FIPS module built just fine. I forgot the details but it was the ARP or the tcnative itself that failed me. There is also a bug in OpenSSL or tomcat's glue code that if cacerts contain more than a certain number of certificates to fail the handshake with timeout (http://tomcat.10.x6.nabble.com/Client-Cert-TLS-issue-td5090609.html)

> Also, keep in mind that OpenSSL 1.0.1 is EOLed and the FIPS module is
> only available for that version line. OpenSSL still produces security
> fixes to paid support subscribers (we are) but they are not available
> for the general public. OpenSSL 3.0 will have a refreshed re-certified
> FIPS module but it is not due until later next year, so for now
> general public is left hanging with the last public version of
> 1.0.1+FIPS.

:(

This is why we can't have nice things.

<snap>

> The workaround could be to use a different password based key
> derivation function - PBKDF2. However, there is nothing in the PKCS12
> spec that allows to encode another algorithm OID in MacData. In
> essence, you cannot use any other algorithm other than the one defined
> in spec which is not FIPS compliant.

And something which is ironically FIPS-compliant is to use a PEM file with no protection whatsoever.

GS: Well, the keys in the PEM files are still encrypted but you're right no protection of the overall container like in BCFKS or PKCS12

George

B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB  [  X  ܚX KK[XZ[
 \ \  ][  X  ܚX P X ]
 \X K ܙ B  ܈Y][ۘ[  [X[  K[XZ[
 \ \  Z[ X ]
 \X K ܙ B

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]