diff options
| author | Ben Laurie <ben@apache.org> | 2005-06-13 15:24:18 +0000 |
|---|---|---|
| committer | Ben Laurie <ben@apache.org> | 2005-06-13 15:24:18 +0000 |
| commit | decaaf6ca57ed8dac02c65a60b22149a55406d0b (patch) | |
| tree | c2768a194197a2bdc13299df68d83fd1d3e4029c | |
| parent | 451131ff76b1feaa713bc3656a3e342f2e0d490a (diff) | |
| download | httpd-decaaf6ca57ed8dac02c65a60b22149a55406d0b.tar.gz | |
More info.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/fips-dev@190416 13f79535-47bb-0310-9956-ffa450edef68
| -rw-r--r-- | README-FIPS | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/README-FIPS b/README-FIPS index 93b405c2b5..8cc6d28e1b 100644 --- a/README-FIPS +++ b/README-FIPS @@ -46,3 +46,16 @@ SSLProtocol +TLSv1 SSLCipherSuite DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHAEXP1024-DHE-DSS-DES-CBC-SHA:EXP1024-DES-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA
The cipher suites can, of course, be a subset of the above.
+
+General: All crypto should be done via OpenSSL (or another FIPS
+certified package). Any external packages using crypto must enable
+FIPS mode in OpenSSL. The OpenSSL FIPS security policy must be
+followed.
+
+Note that because Apache sets FIPS mode in OpenSSL, other libraries or
+modules using OpenSSL that coexist may exhibit unexpected behaviour
+because of the restrictions FIPS mode imposes.
+
+In particular, only DES, AES, RSA, DSA/DSS and SHA-1 can be
+used. There is a special exception that permits the use of MD5 within
+TLS, but not elsewhere.
|