From decaaf6ca57ed8dac02c65a60b22149a55406d0b Mon Sep 17 00:00:00 2001
From: Ben Laurie <ben@apache.org>
Date: Mon, 13 Jun 2005 15:24:18 +0000
Subject: [PATCH] More info.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/fips-dev@190416 13f79535-47bb-0310-9956-ffa450edef68
---
 README-FIPS | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/README-FIPS b/README-FIPS
index 93b405c2b53..8cc6d28e1b1 100644
--- a/README-FIPS
+++ b/README-FIPS
@@ -46,3 +46,16 @@ SSLProtocol +TLSv1
 SSLCipherSuite DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHAEXP1024-DHE-DSS-DES-CBC-SHA:EXP1024-DES-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA
 
 The cipher suites can, of course, be a subset of the above.
+
+General: All crypto should be done via OpenSSL (or another FIPS
+certified package). Any external packages using crypto must enable
+FIPS mode in OpenSSL. The OpenSSL FIPS security policy must be
+followed.
+
+Note that because Apache sets FIPS mode in OpenSSL, other libraries or
+modules using OpenSSL that coexist may exhibit unexpected behaviour
+because of the restrictions FIPS mode imposes.
+
+In particular, only DES, AES, RSA, DSA/DSS and SHA-1 can be
+used. There is a special exception that permits the use of MD5 within
+TLS, but not elsewhere.
-- 
2.47.2