More info.

author Ben Laurie <ben@apache.org>

Mon, 13 Jun 2005 15:24:18 +0000 (15:24 +0000)

committer Ben Laurie <ben@apache.org>

Mon, 13 Jun 2005 15:24:18 +0000 (15:24 +0000)
author Ben Laurie <ben@apache.org>
Mon, 13 Jun 2005 15:24:18 +0000 (15:24 +0000)
committer Ben Laurie <ben@apache.org>
Mon, 13 Jun 2005 15:24:18 +0000 (15:24 +0000)
diff --git a/README-FIPS b/README-FIPS

index 93b405c2b53bc4e96a0e9a67dbbf15a9732caa7b..8cc6d28e1b107dc9c172a62d00e5c79dcbafc93e 100644 (file)
--- a/README-FIPS
+++ b/README-FIPS
@@ -46,3 +46,16 @@ SSLProtocol +TLSv1
  SSLCipherSuite DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHAEXP1024-DHE-DSS-DES-CBC-SHA:EXP1024-DES-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA\r
  \r
  The cipher suites can, of course, be a subset of the above.\r
+\r
+General: All crypto should be done via OpenSSL (or another FIPS\r
+certified package). Any external packages using crypto must enable\r
+FIPS mode in OpenSSL. The OpenSSL FIPS security policy must be\r
+followed.\r
+\r
+Note that because Apache sets FIPS mode in OpenSSL, other libraries or\r
+modules using OpenSSL that coexist may exhibit unexpected behaviour\r
+because of the restrictions FIPS mode imposes.\r
+\r
+In particular, only DES, AES, RSA, DSA/DSS and SHA-1 can be\r
+used. There is a special exception that permits the use of MD5 within\r
+TLS, but not elsewhere.\r
author	Ben Laurie <ben@apache.org>
	Mon, 13 Jun 2005 15:24:18 +0000 (15:24 +0000)
committer	Ben Laurie <ben@apache.org>
	Mon, 13 Jun 2005 15:24:18 +0000 (15:24 +0000)