Fortinet white logo
Fortinet white logo

Administration Guide

FIPS-CC mode and OpenSSL FIPS provider

FIPS-CC mode and OpenSSL FIPS provider

When the device is in FIPS-CC mode, the OpenSSL FIPS provider is installed globally at startup, ensuring that any OpenSSL application is automatically compliant with FIPS regulations. An OpensSSL FIPS provider test (ossl-fips-provider-test) is added, and the self-test runs automatically at startup. The TLSv1.1 KDF self-test is removed.

The system defaults to the more secure TLSv1.2 and TLSv1.3 protocols instead of SSL3.0 and TLS1.1, and only Diffie-Hellman parameters of 2048 bits or higher are permitted, ensuring a robust security posture and aligning with industry standards.

When configuring a RADIUS server, Authentication method (auth-type) can only be set to PAP (password authentication protocol), and transport-protocol can only be set to tls.

To manually run the OpenSSL FIPS provider self-test:
# execute fips kat ossl-fips-provider-test
HMAC              : KAT_Integrity        : Pass
HMAC              : Module_Integrity     : Pass
SHA1              : KAT_Digest           : Pass
SHA2              : KAT_Digest           : Pass
SHA3              : KAT_Digest           : Pass
AES_GCM           : KAT_Cipher           : Pass
AES_ECB_Decrypt   : KAT_Cipher           : Pass
RSA               : KAT_Signature        : Pass
ECDSA             : KAT_Signature        : Pass
ECDSA             : KAT_Signature        : Pass
DSA               : KAT_Signature        : Pass
TLS13_KDF_EXTRACT : KAT_KDF              : Pass
TLS13_KDF_EXPAND  : KAT_KDF              : Pass
TLS12_PRF         : KAT_KDF              : Pass
PBKDF2            : KAT_KDF              : Pass
SSHKDF            : KAT_KDF              : Pass
KBKDF             : KAT_KDF              : Pass
HKDF              : KAT_KDF              : Pass
SSKDF             : KAT_KDF              : Pass
X963KDF           : KAT_KDF              : Pass
X942KDF           : KAT_KDF              : Pass
HASH              : DRBG                 : Pass
CTR               : DRBG                 : Pass
HMAC              : DRBG                 : Pass
DH                : KAT_KA               : Pass
ECDH              : KAT_KA               : Pass
RSA_Encrypt       : KAT_AsymmetricCipher : Pass
RSA_Decrypt       : KAT_AsymmetricCipher : Pass
RSA_Decrypt       : KAT_AsymmetricCipher : Pass
Running OSSL-FIPS-TEST test...                 passed

FIPS-CC mode and OpenSSL FIPS provider

FIPS-CC mode and OpenSSL FIPS provider

When the device is in FIPS-CC mode, the OpenSSL FIPS provider is installed globally at startup, ensuring that any OpenSSL application is automatically compliant with FIPS regulations. An OpensSSL FIPS provider test (ossl-fips-provider-test) is added, and the self-test runs automatically at startup. The TLSv1.1 KDF self-test is removed.

The system defaults to the more secure TLSv1.2 and TLSv1.3 protocols instead of SSL3.0 and TLS1.1, and only Diffie-Hellman parameters of 2048 bits or higher are permitted, ensuring a robust security posture and aligning with industry standards.

When configuring a RADIUS server, Authentication method (auth-type) can only be set to PAP (password authentication protocol), and transport-protocol can only be set to tls.

To manually run the OpenSSL FIPS provider self-test:
# execute fips kat ossl-fips-provider-test
HMAC              : KAT_Integrity        : Pass
HMAC              : Module_Integrity     : Pass
SHA1              : KAT_Digest           : Pass
SHA2              : KAT_Digest           : Pass
SHA3              : KAT_Digest           : Pass
AES_GCM           : KAT_Cipher           : Pass
AES_ECB_Decrypt   : KAT_Cipher           : Pass
RSA               : KAT_Signature        : Pass
ECDSA             : KAT_Signature        : Pass
ECDSA             : KAT_Signature        : Pass
DSA               : KAT_Signature        : Pass
TLS13_KDF_EXTRACT : KAT_KDF              : Pass
TLS13_KDF_EXPAND  : KAT_KDF              : Pass
TLS12_PRF         : KAT_KDF              : Pass
PBKDF2            : KAT_KDF              : Pass
SSHKDF            : KAT_KDF              : Pass
KBKDF             : KAT_KDF              : Pass
HKDF              : KAT_KDF              : Pass
SSKDF             : KAT_KDF              : Pass
X963KDF           : KAT_KDF              : Pass
X942KDF           : KAT_KDF              : Pass
HASH              : DRBG                 : Pass
CTR               : DRBG                 : Pass
HMAC              : DRBG                 : Pass
DH                : KAT_KA               : Pass
ECDH              : KAT_KA               : Pass
RSA_Encrypt       : KAT_AsymmetricCipher : Pass
RSA_Decrypt       : KAT_AsymmetricCipher : Pass
RSA_Decrypt       : KAT_AsymmetricCipher : Pass
Running OSSL-FIPS-TEST test...                 passed