Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


We recommend that V-222950 be completely removed from the STIG as it has no perceivable benefit.


This finding requires that FIPS-validated cipher (suites) are used on secure connectors, but gets confused after that.

It's not clear whether this Finding requires that a FIPS-validated cryptographic module be used in FIPS mode, or that a FIPS-validated cryptographic module must be used (in any mode), or that only cipher suites be FIPS-140-2 validated (whatever that means). It also states that setting FIPSMode="on" on the AprLifecycleListener (a) will enable FIPS and (b) FIPS mode is not possible without it.

Enabling the AprLifecycleListener and using FIPSMode="on" is only applicable if OpenSSL is being used as the underlying cryptographic module, and that module has been built with FIPS support. There are other ways to use FIPS-valiated cryptographic modules that do not use this setting.

This recommendation should clarify what is actually required, and be specific about how to ensure that a FIPS-validated module is actually in use.


No recommended additions at this point.