Reputation: 154
Is Nginx open source FIPS compliant?
I am investigating FIPS compliance for our platform. nginx is one of the components and we use nginx 1.15.1. I found the documentation about nginx plus being FIPS compliant.
When NGINX Plus is executed on an operating system where a FIPS‑validated OpenSSL cryptographic module is present and FIPS mode is enabled, NGINX Plus is compliant with FIPS 140-2 with respect to the decryption and encryption of SSL/TLS and HTTP/2 traffic.
https://docs.nginx.com/nginx/fips-compliance-nginx-plus/
Does this apply to open source nginx as well? I did not find any documentation for the open source version. I have posted the query in nginx forum as well but checking it here as well in case folks have already done FIPS compliance with the open source version.
Upvotes: 8
Views: 3562
Answers (2)
Reputation: 61
To add to @Anthony Mastrean's answer, you can totally use nginx open source and achieve FIPS compliance with FIPS 140-2 validated crypto modules - it's just that you have to do more work yourself. It mostly comes down to:
- configuring your OS in FIPS mode,
- using a NIST-blessed openssl version (the exact version that you use needs to be listed in the CMVP here: https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search?SearchMode=Basic&ModuleName=openssl&CertificateStatus=Active&ValidationYear=0)
- there is no option of you compiling openssl, unless you want to pay NIST to test it and certify your build in the CMVP
- configuring the correct TLS protocol version, ciphers, etc.
If you want to pay nginx, their paid "plus" offering does some/most of this set up for you.
eg. for OS: https://aws.amazon.com/blogs/publicsector/enabling-fips-mode-amazon-linux-2/
eg. for Openssl: https://wiki.openssl.org/index.php/FIPS_mode_and_TLS
Upvotes: 2
Reputation: 22384
According to this blog post, it's not a "No" but more of a "We can't be sure" (emphasis mine):
NGINX tests and verifies that NGINX Plus operates correctly when it is run on a FIPS‑enabled OS that is running in FIPS mode. NGINX cannot make similar statements for NGINX Open Source...
They can't make claims for the OS you compile on or the flags that you use to build. There's a lot going on in an OpenSSL build.
https://wiki.openssl.org/index.php/Compilation_and_Installation
And any deviation from the "trusted path" or "validated" build steps may invalidate your installation.
https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
Upvotes: 7
Related Questions
- Can FIPS compliant solution have non FIPS compliant libraries
- How to check FIPS 140-2 support in OpenSSL?
- Is KeyCloak FIPS compliant?
- Link Openssl-FIPS library for Python3
- Is FIPS compliance REQUIRED for TLS 1.2 communication in Windows?
- Consuming FIPS validated OpenSSL runtime
- How to check if the openssl libraries are using the FIPS validated crytpography
- FIPS Compliance for my Android project
- OpenSSL FIPS 140-2 Compliance with Tomcat 5 or any version
- What does "__fips_constseg" means in openssl