FIPS 140-2 compliance for Apache and Haproxy on CentOS 7

Question

I have CentOS 7 and Apache and the Haproxy load balancer with SSL support. How to make the server compliant to FIPS 140-2?

From CHAPTER 10. FEDERAL STANDARDS AND REGULATIONS | redhat.com I got the following instructions:

/etc/sysconfig/prelink
PRELINKING=no

# yum install dracut-fips
# dracut -f
fips=1

$ df /boot
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/sda1               495844     53780    416464  12% /boot

boot=/dev/sda1

/etc/ssh/sshd_config
Protocol 2
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
Macs hmac-sha1,hmac-sha2-256,hmac-sha2-512

Is this enough to make my HTTPS services FIPS 140-2 compliant?

You don't need to do anything to make it FIPS-*compatible*, FIPS algorithms are supported by default. Did you mean FIPS-**compliant**? That's a completely different concept. And it applies to *software* (or more precisely to systems), not to *traffic*. What exactly do you need (**quote** any requirements that you have, don't interpret them, the language is subtle)? What is missing in the page you link to? — Gilles 'SO- stop being evil', Apr 13 '18 at 07:23
From your perspective, FIPS compliance is a matter of making sure not to use cryptographic software that isn't compliant. Programs that don't use cryptography don't matter. Programs that do (e.g. the HTTPS part of Apache and Haproxy) must be used in FIPS mode. — Gilles 'SO- stop being evil', Apr 13 '18 at 14:34
Thank you Gilles. Cleared my whole confusion with your second comment statement. `Programs that don't use cryptography don't matter. Programs that do (e.g. the HTTPS part of Apache and Haproxy) must be used in FIPS mode. ` — , Apr 16 '18 at 06:14

Christopher · Accepted Answer · 2018-05-01T18:33:18.103

In addition to SSL/TLS, OpenSSL provides general purpose crypto libraries. In context, FIPS-mode merely removes access to all of the algorithms that have not been approved by NIST. If in FIPS mode, the following command should fail.

openssl md5 filename

On RedHat system at least, one can also find the status of FIPS mode in the proc file system.

cat /proc/sys/crypto/fips_enabled

The result of the command produces 0 (FIPS is not enabled.) or 1 (FIPS is enabled.).

Is it possible that one may need to regenerate certificates for the Web servers after entering FIPS mode? Perhaps.

Is the FIPS-mode requirement also a small part of applying a STIG? There exists a very convenient website to view STIG requirements. The RHEL6 STIG is available at stigviewer.com. Included in the requirements are the commands to apply and verify the settings. It's quite easy to do. The official source is somewhat more difficult to use, but a RHEL7 STIG does exists there. The STIGs from the official sources are produced in XML and expected to be viewed with "STIG Viewer Version 2.7," which can be found in the list of STIGs.

Update: the RHEL7 STIG is now available at stigviewer.com.

Do the very best you can do, and then let the Information Assurance Officer tell you what more may need to be done. In addition, one could choose to apply the draft version of the RHEL7 STIG at the time of installation by choosing a security policy, as illustrated below. This policy does some of the "heavy lifting" in STIG configuration, but one would still need to verify that all STIG settings have been applied.

There are also other applicable STIGs, one for the Web server and one for the Web application. A database STIG may also apply.

FIPS 140-2 compliance for Apache and Haproxy on CentOS 7

1 Answers1