FIPS-CC mode and OpenSSL FIPS provider
When the device is in FIPS-CC mode, the OpenSSL FIPS provider is installed globally at startup, ensuring that any OpenSSL application is automatically compliant with FIPS regulations. An OpensSSL FIPS provider test (ossl-fips-provider-test
) is added, and the self-test runs automatically at startup. The TLSv1.1 KDF self-test is removed.
The system defaults to the more secure TLSv1.2 and TLSv1.3 protocols instead of SSL3.0 and TLS1.1, and only Diffie-Hellman parameters of 2048 bits or higher are permitted, ensuring a robust security posture and aligning with industry standards.
When configuring a RADIUS server, Authentication method (auth-type
) can only be set to PAP (password authentication protocol), and transport-protocol
can only be set to tls
.
To manually run the OpenSSL FIPS provider self-test:
# execute fips kat ossl-fips-provider-test HMAC : KAT_Integrity : Pass HMAC : Module_Integrity : Pass SHA1 : KAT_Digest : Pass SHA2 : KAT_Digest : Pass SHA3 : KAT_Digest : Pass AES_GCM : KAT_Cipher : Pass AES_ECB_Decrypt : KAT_Cipher : Pass RSA : KAT_Signature : Pass ECDSA : KAT_Signature : Pass ECDSA : KAT_Signature : Pass DSA : KAT_Signature : Pass TLS13_KDF_EXTRACT : KAT_KDF : Pass TLS13_KDF_EXPAND : KAT_KDF : Pass TLS12_PRF : KAT_KDF : Pass PBKDF2 : KAT_KDF : Pass SSHKDF : KAT_KDF : Pass KBKDF : KAT_KDF : Pass HKDF : KAT_KDF : Pass SSKDF : KAT_KDF : Pass X963KDF : KAT_KDF : Pass X942KDF : KAT_KDF : Pass HASH : DRBG : Pass CTR : DRBG : Pass HMAC : DRBG : Pass DH : KAT_KA : Pass ECDH : KAT_KA : Pass RSA_Encrypt : KAT_AsymmetricCipher : Pass RSA_Decrypt : KAT_AsymmetricCipher : Pass RSA_Decrypt : KAT_AsymmetricCipher : Pass Running OSSL-FIPS-TEST test... passed