How can I verify that my Tomcat app server correctly supports FIPS 140-2?

Question

I've built openssl-fips, openssl, and tc-native (Tomcat Native Library) and pointed Tomcat at the native library. I see APR started in the logs:

13-Nov-2014 14:01:32.197 INFO [main] org.apache.catalina.core.AprLifecycleListener.init Loaded APR based Apache Tomcat Native library 1.1.32 using APR version 1.3.9.
13-Nov-2014 14:01:32.197 INFO [main] org.apache.catalina.core.AprLifecycleListener.init APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
13-Nov-2014 14:01:32.431 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized (OpenSSL 1.0.1j 15 Oct 2014)
13-Nov-2014 14:01:32.712 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-apr-443"]

I can get to the site using https://localhost/ and the cert looks like it's correct. Firefox looks the same when I look at the site security information and compare the before-FIPS and after-FIPS setup:

The questions are:

1. How can I verify that the communication between the browser and server is actually FIPS 140-2 compliant?
2. Is there any way to force FIPS-only communication on the server end?

Answer 1

It may not be obvious, but this isn't a <Connector> option, but instead an APR option which gets configured in the APRLifecycleListener in CATALINA_BASE/conf/server.xml.

You can read the documentation for the APRLifecycleListener and see that there is a FIPSMode setting that allows you to control the use of FIPS mode. I think you want FIPSMode="on".

This will force Tomcat (really OpenSSL) to operate in a FIPS-compliant manner. The client has no effect on this, and will therefore have to conform to the server's (FIPS-compliant) behavior.