</usage>
</directivesynopsis>
-<directivesynopsis>
-<name>SSLFIPS</name>
-<description>SSL FIPS mode Switch</description>
-<syntax>SSLFIPS on|off</syntax>
-<default>SSLFIPS off</default>
-<contextlist><context>server config</context></contextlist>
-
-<usage>
-<p>
-This directive toggles the usage of the SSL library FIPS_mode flag.
-It must be set in the global server context and cannot be configured
-with conflicting settings (SSLFIPS on followed by SSLFIPS off or
-similar). The mode applies to all SSL library operations.
-</p>
-<p>
-If httpd was compiled against an SSL library which did not support
-the FIPS_mode flag, <code>SSLFIPS on</code> will fail. Refer to the
-FIPS 140-2 Security Policy document of the SSL provider library for
-specific requirements to use mod_ssl in a FIPS 140-2 approved mode
-of operation; note that mod_ssl itself is not validated, but may be
-described as using FIPS 140-2 validated cryptographic module, when
-all components are assembled and operated under the guidelines imposed
-by the applicable Security Policy.
-</p>
-</usage>
-</directivesynopsis>
-
<directivesynopsis>
<name>SSLProtocol</name>
<description>Configure usable SSL protocol flavors</description>
SSL_CMD_SRV(Engine, TAKE1,
"SSL switch for the protocol engine "
"(`on', `off')")
- SSL_CMD_SRV(FIPS, FLAG,
- "Enable FIPS-140 mode "
- "(`on', `off')")
SSL_CMD_ALL(CipherSuite, TAKE1,
"Colon-delimited list of permitted SSL Ciphers "
"(`XXX:...:XXX' - see manual)")
cfgMerge(mc, NULL);
cfgMerge(enabled, SSL_ENABLED_UNSET);
-#ifdef HAVE_FIPS
- cfgMergeBool(fips);
-#endif
cfgMergeBool(proxy_enabled);
cfgMergeInt(session_cache_timeout);
cfgMergeBool(cipher_server_pref);
return "Argument must be On, Off, or Optional";
}
-const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag)
-{
- SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
- const char *err;
-
- if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
- return err;
- }
-
-#ifdef HAVE_FIPS
- if ((sc->fips != UNSET) && (sc->fips != (flag ? TRUE : FALSE)))
- return "Conflicting SSLFIPS options, cannot be both On and Off";
- sc->fips = flag ? TRUE : FALSE;
-#else
- if (flag)
- return "SSLFIPS invalid, rebuild httpd and openssl compiled for FIPS";
-#endif
-
- return NULL;
-}
-
const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd,
void *dcfg,
const char *arg)
{
SSLModConfigRec *mc = myModConfig(s);
-#ifdef HAVE_FIPS
-
- if (FIPS_mode() && bits < 1024) {
- mc->pTmpKeys[idx] = NULL;
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
- "Init: Skipping generating temporary "
- "%d bit RSA private key in FIPS mode", bits);
- return OK;
- }
-
-#endif
-
if (!(mc->pTmpKeys[idx] =
RSA_generate_key(bits, RSA_F4, NULL, NULL)))
{
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"Init: Failed to generate temporary "
"%d bit RSA private key", bits);
- ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
return !OK;
}
{
SSLModConfigRec *mc = myModConfig(s);
-#ifdef HAVE_FIPS
-
- if (FIPS_mode() && bits < 1024) {
- mc->pTmpKeys[idx] = NULL;
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
- "Init: Skipping generating temporary "
- "%d bit DH parameters in FIPS mode", bits);
- return OK;
- }
-
-#endif
-
if (!(mc->pTmpKeys[idx] =
ssl_dh_GetTmpParam(bits)))
{
*/
ssl_rand_seed(base_server, ptemp, SSL_RSCTX_STARTUP, "Init: ");
-#ifdef HAVE_FIPS
- if(sc->fips) {
- if (!FIPS_mode())
- if (FIPS_mode_set(1)) {
- ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s,
- "Operating in SSL FIPS mode");
- }
- else {
- ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, "FIPS mode failed");
- ssl_log_ssl_error(APLOG_MARK, APLOG_EMERG, s);
- ssl_die();
- }
- }
- }
- else {
- ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s,
- "SSL FIPS mode disabled");
- }
-#endif
-
/*
* read server private keys/public certs into memory.
* decrypting any encrypted keys via configured SSLPassPhraseDialogs
#ifndef OPENSSL_NO_TLSEXT
ssl_enabled_t strict_sni_vhost_check;
#endif
-#ifdef HAVE_FIPS
- BOOL fips;
-#endif
};
/**
const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag);
const char *ssl_cmd_SSLProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag);
-const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag);
-
/** module initialization */
int ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
void ssl_init_Engine(server_rec *, apr_pool_t *);
#define HAVE_SSL_X509V3_EXT_d2i
-#if (OPENSSL_VERSION_NUMBER >= 0x009080a0) && defined(OPENSSL_FIPS)
-#define HAVE_FIPS
-#endif
-
#ifndef PEM_F_DEF_CALLBACK
#ifdef PEM_F_PEM_DEF_CALLBACK
/** In OpenSSL 0.9.8 PEM_F_DEF_CALLBACK was renamed */
projects / thirdparty / apache / httpd.git / commitdiff
