FIPS Compliance
The Federal Information Processing Standard Publication 140-2 (FIPS 140-2) is a U.S. government computer security standard that is used to approve cryptographic modules. Opengear appliances operating in FIPS mode provide FIPS 140-2 level one compliance by utilizing FIPS validated OpenSSL 3.0.8 cryptographic library while in FIPS mode.
Note: The default provider will be 3.0.10, however, the FIPS provider remains on 3.0.8 in release 23.10.3. See the example of list providers later in this topic under the section Verify that FIPS is enabled.
Configure FIPS
Enable FIPS mode at the CLI as follows:
Enable FIPS
Enable FIPS via config shell:
root@<device name>:~# config
Welcome to the Opengear interactive config shell. Type ? or help for help.
config: system/fips
config(system/fips): enabled true
config(system/fips): apply
Updating entity system/fips.
Enable FIPS via ogcli:
ogcli update system/fips enabled=true
Disable FIPS
Disable FIPS via config shell:
root@<device name>:~# config
Welcome to the Opengear interactive config shell. Type ? or help for help.
config: system/fips
config(system/fips): enabled false
config(system/fips): apply
Updating entity system/fips.
Disable FIPS via ogcli:
ogcli update system/fips enabled=false
Verify that FIPS is enabled
-
Check the OpenSSL FIPS providers.
root@<device name>:~# openssl list -providers
Providers:
default
name: OpenSSL Default Provider
version: 3.0.10
status: active
fips
name: OpenSSL FIPS Provider
version: 3.0.8
status: active
-
Check that the digest algorithms provided by OpenSSL is limited to FIPS compliant ciphers/algorithms.
root@<device name>:~# openssl list -digest-algorithms
...
Provided:
{ 2.16.840.1.101.3.4.2.1, SHA-256, SHA2-256, SHA256 } @ default
{ 2.16.840.1.101.3.4.2.10, SHA3-512 } @ default
{ 2.16.840.1.101.3.4.2.8, SHA3-256 } @ default
{ 2.16.840.1.101.3.4.2.7, SHA3-224 } @ default
{ 2.16.840.1.101.3.4.2.2, SHA-384, SHA2-384, SHA384 } @ default
{ 2.16.840.1.101.3.4.2.3, SHA-512, SHA2-512, SHA512 } @ default
{ 2.16.840.1.101.3.4.2.5, SHA-512/224, SHA2-512/224, SHA512-224 } @ default
{ 2.16.840.1.101.3.4.2.12, SHAKE-256, SHAKE256 } @ default
{ 1.3.14.3.2.26, SHA-1, SHA1, SSL3-SHA1 } @ default
{ 2.16.840.1.101.3.4.2.9, SHA3-384 } @ default
{ 2.16.840.1.101.3.4.2.11, SHAKE-128, SHAKE128 } @ default
{ 2.16.840.1.101.3.4.2.4, SHA-224, SHA2-224, SHA224 } @ default
{ 2.16.840.1.101.3.4.2.6, SHA-512/256, SHA2-512/256, SHA512-256 } @ default
{ KECCAK-KMAC-128, KECCAK-KMAC128 } @ default
{ KECCAK-KMAC-256, KECCAK-KMAC256 } @ default
{ 2.16.840.1.101.3.4.2.1, SHA-256, SHA2-256, SHA256 } @ fips
{ 2.16.840.1.101.3.4.2.10, SHA3-512 } @ fips
{ 2.16.840.1.101.3.4.2.8, SHA3-256 } @ fips
{ 2.16.840.1.101.3.4.2.7, SHA3-224 } @ fips
{ 2.16.840.1.101.3.4.2.2, SHA-384, SHA2-384, SHA384 } @ fips
{ 2.16.840.1.101.3.4.2.3, SHA-512, SHA2-512, SHA512 } @ fips
{ 2.16.840.1.101.3.4.2.5, SHA-512/224, SHA2-512/224, SHA512-224 } @ fips
{ 2.16.840.1.101.3.4.2.12, SHAKE-256, SHAKE256 } @ fips
{ 1.3.14.3.2.26, SHA-1, SHA1, SSL3-SHA1 } @ fips
{ 2.16.840.1.101.3.4.2.9, SHA3-384 } @ fips
{ 2.16.840.1.101.3.4.2.11, SHAKE-128, SHAKE128 } @ fips
{ 2.16.840.1.101.3.4.2.4, SHA-224, SHA2-224, SHA224 } @ fips
{ 2.16.840.1.101.3.4.2.6, SHA-512/256, SHA2-512/256, SHA512-256 } @ fips
{ KECCAK-KMAC-128, KECCAK-KMAC128 } @ fips
{ KECCAK-KMAC-256, KECCAK-KMAC256 } @ fips
Considerations for using the FIPS Feature
In organizations where FIPS is required, the following points should be noted:
-
OpenSSL 3.0.8 FIPS provider limits the available cryptography ciphers/algorithms only those that have been validated by laboratory to be FIPS compliant.
Caution: Configuration backup should be taken before enabling or disabling FIPS.
Caution: FIPS has the potential to break any service with secure connectivity, including services listed in the following table:
| Feature | Affected Process/Service | Impact |
|---|---|---|
| Lighthouse enrollment | OpenVPN | OpenVPN is not compliant with FIPS standards; this issue is a recognized problem specifically when OpenSSL 3.x is being used. Once OpenVPN addresses this issue, it will also meet FIPS compliance standards. However, for compatibility with Lighthouse enrollment, this feature remains enabled despite the non-compliance. |
| IPsec | Strongswan | Needs to be operated in FIPS mode to be FIPS compliant. The other end of the tunnel does not need to be operating FIPS mode to connect. |
| Remote authentication | freeradius, tacacs, ldap | These are not FIPS compliant. |
| NTP | chrony | Authenticated NTP servers with MD5 will not connect. Use an algorithm that is FIPS compliant. |
| SNMP | ogtrapd, snmpd, snmptrapd | Authentication and Encryption should be used as the security policy as V1 and V2 have no encryption. SNMPv3 with MD5 encryption will fail. Use an algorithm that is FIPS compliant. It is recommended that authPriv security policy is used when in FIPS mode for SNMPv3. |
| LDAP | OpenSSL | LDAP has no encryption, therefore it does not use OpenSSL. For FIPS compliance it is recommended that it is not used. |
| OpenSSL | OpenSSL MD5 | When OpenSSL MD5 is not available, pam_tacplus uses its own implementation of MD5. When FIPS is enabled it does not use OpenSSL(but will continue to work). Therefore, it is recommended that it is not used in FIPS mode. |
| SMF | SMF | Use of the SMF feature will render the device non-compliant for FIPS. |
| SSH connections | SSH | For SSH connections, a FIPS compliant algorithm must specified as part of the command to connect. See the note below: |
| NetOps Modules | gre (Secure Provisioning)
nom-ipaccess-lhvpn (IP access) nom-ag-lhvpn (Access Gateway) |
Opengear NetOps Modules are not functional when FIPS mode is enabled. |
| Note: SSH will require the cipher to be manually specified when FIPS is enabled. e.g. ssh root@10.0.0.1 -c aes256-gcm@openssh.com |
||
| Wireguard | Wireguard is not FIPS compliant and should not be used in FIPS mode. | |
| Routing protocols | Routing protocols should not select an MD5 cipher. | |