This directive toggles the usage of the SSL library FIPS_mode flag. It must be set in the global server context and should not be configured with conflicting settings (SSLFIPS on followed by SSLFIPS off or similar). The mode applies to all SSL library operations.
| Category | Value |
|---|---|
|
Syntax |
SSLFIPS ON | OFF |
|
Example |
SSLFIPS ON |
|
Default |
|
Configuring an SSLFIPS change requires that the SSLFIPS on/off directive be set globally in ssl.conf. Virtual level configuration is disabled in SSLFIPS directive. Hence, setting SSLFIPS to virtual directive results in an error.
Note:
Note the following restriction on SSLFIPS:
Enabling SSLFIPS mode in Oracle HTTP Server requires a wallet created with AES encrypted (compat_v12) headers. To create a new wallet or to convert an existing wallet with AES encryption, see these sections in orapki in Administering Oracle Fusion Middleware:
Creating and Viewing Oracle Wallets with orapki
The following tables describe the cipher suites that work in SSLFIPS mode with various protocols. For instructions on how to implement these cipher suites, see SSLCipherSuite Directive.
Table G-3 lists the cipher suites which work in TLS 1.0, TLS1.1, and TLS 1.2 protocols in SSLFIPS mode.
Table G-3 Ciphers Which Work in All TLS Protocols in SSLFIPS Mode
| Cipher Name | Cipher Works in These Protocols: |
|---|---|
|
SSL_RSA_WITH_3DES_EDE_CBC_SHA |
TLS 1.0, TLS1.1, and TLS 1.2 |
|
SSL_RSA_WITH_AES_128_CBC_SHA |
TLS 1.0, TLS1.1, and TLS 1.2 |
|
SSL_RSA_WITH_AES_256_CBC_SHA |
TLS 1.0, TLS1.1, and TLS 1.2 |
Table G-4 lists the cipher suites and protocols that can be used in SSLFIPS mode.
Table G-4 Ciphers Which Work in FIPS Mode
| Cipher Name | Cipher Works in These Protocols: |
|---|---|
|
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA |
TLS 1.0 and later |
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
TLS 1.0 and later |
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
TLS 1.0 and later |
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
TLS1.2 and later |
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
TLS1.2 and later |
|
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
TLS1.2 and later |
|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
TLS1.2 and later |
|
TLS_RSA_WITH_AES_128_CBC_SHA256 |
TLS1.2 and later |
|
TLS_RSA_WITH_AES_256_CBC_SHA256 |
TLS1.2 and later |
|
TLS_RSA_WITH_AES_128_GCM_SHA256 |
TLS1.2 and later |
|
TLS_RSA_WITH_AES_256_GCM_SHA384 |
TLS1.2 and later |
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
TLS1.2 and later |
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
TLS1.2 and later |
|
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
TLS1.2 and later |
|
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
TLS1.2 and later |
|
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA |
TLS 1.0 and later |
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
TLS 1.0 and later |
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
TLS 1.0 and later |
Note:
If SSLFIPS is set to ON, and a cipher that does not support FIPS is used at the server, then client requests that use that cipher fail.
To use the TLS_ECDHE_ECDSA cipher suite, Oracle HTTP Server requires a wallet created with an ECC user certificate. The TLS_ECDHE_ECDSA cipher suite does not work with RSA certificates.
To use the SSL_RSA/TLS_RSA/TLS_ECDHE_RSA cipher suite, Oracle HTTP Server requires a wallet created with an RSA user certificate. The SSL_RSA/TLS_RSA/TLS_ECDHE_RSA cipher suite does not work with ECC certificates.
For more information about how to configure ECC/RSA certificates in a wallet, see Creating and Viewing Oracle Wallets with orapki in Administering Oracle Fusion Middleware.
For instructions about how to implement these cipher suites and corresponding protocols, see SSL Cipher Suite Directive and SSL Protocol.
Table G-5 lists the cipher suites that do not work in SSPFIPS mode.
Table G-5 Ciphers That Do Not Work in SSLFIPS Mode
| Cipher Name | Description |
|---|---|
|
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA |
Does not work in SSLFIPS mode in any protocol |
|
SSL_RSA_WITH_RC4_128_SHA |
Does not work in SSLFIPS mode in any protocol |
|
TLS_ECDHE_RSA_WITH_RC4_128_SHA |
Does not work in SSLFIPS mode in any protocol |