The version of OpenSSL in the LoadMaster was updated from 1.0.2 to 3.0 as of Long Term Support Feature (LTSF) firmware version 7.2.54.7. Only FIPS-approved ciphers are available in the FIPS LoadMaster. In the 7.2.54.7 release, additional ciphers were added to the LoadMasters. However, the same ciphers that were in the 7.2.54.6 release are still available in 7.2.54.7.

The OpenSSL 3 FIPS Object Module (FOM) is compiled to run at a specific security level that determines the ciphers and keylengths supported at run time. (This is distinct from the FIPS 140-2 overall security level mentioned in the introduction to this document. The OpenSSL FOM running security level is security level 1. For further details on the security levels, refer to the following OpenSSL page: SSL_CTX_set_security_level.

Here is a basic list of prohibitions at security level 1:
  • RSA, DSA, and DH keys shorter than 1024 bits are prohibited.
  • ECC keys shorter than 160 bits are prohibited.
  • All export cipher suites are prohibited.
  • SSL version 2 is prohibited.
  • Any cipher suite using MD5 for the MAC is prohibited.
  • Signatures using SHA1 and MD5 are prohibited.

The SSL hardware acceleration cards used in hardware LoadMasters do not support OpenSSL 3.0. Therefore, when you enable FIPS mode, these hardware acceleration cards are bypassed and the LoadMaster's general processor handles encryption/decryption tasks instead.