I've built openssl-fips, openssl, and tc-native (Tomcat Native Library) and pointed Tomcat at the native library. I see APR started in the logs:
13-Nov-2014 14:01:32.197 INFO [main] org.apache.catalina.core.AprLifecycleListener.init Loaded APR based Apache Tomcat Native library 1.1.32 using APR version 1.3.9.
13-Nov-2014 14:01:32.197 INFO [main] org.apache.catalina.core.AprLifecycleListener.init APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
13-Nov-2014 14:01:32.431 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized (OpenSSL 1.0.1j 15 Oct 2014)
13-Nov-2014 14:01:32.712 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-apr-443"]
I can get to the site using https://localhost/ and the cert looks like it's correct. Firefox looks the same when I look at the site security information and compare the before-FIPS and after-FIPS setup:
The questions are:
- How can I verify that the communication between the browser and server is actually FIPS 140-2 compliant?
- Is there any way to force FIPS-only communication on the server end?
It may not be obvious, but this isn't a
<Connector>option, but instead an APR option which gets configured in theAPRLifecycleListenerinCATALINA_BASE/conf/server.xml.You can read the documentation for the APRLifecycleListener and see that there is a
FIPSModesetting that allows you to control the use of FIPS mode. I think you wantFIPSMode="on".This will force Tomcat (really OpenSSL) to operate in a FIPS-compliant manner. The client has no effect on this, and will therefore have to conform to the server's (FIPS-compliant) behavior.