Security Updates - OpenSSL 3.0.8 Support (FIPS Mode ONLY)
- Last Updated: July 31, 2024
- 2 minute read
- LoadMaster
- LoadMaster LTSF
- Documentation
Software FIPS mode has been updated with the Progress LoadMaster FIPS Object Module (FOM), based on the OpenSSL Version 3.0.8 FOM, and has been submitted for FIPS 140-2 certification.
Software FIPS mode is entered by clicking Certificates & Security > Remote Access > Enable Software FIPS Mode in the UI. [Please note that changing to FIPS mode is a one-way change -- you cannot go back to non-FIPS mode after entering FIPS mode.]
There are several differences between the Progress LoadMaster FOM introduced in LMOS 7.2.54.7 and the FOM used in earlier LoadMaster releases. All these changes ensure that LoadMaster complies with the latest security requirements and guidelines for modern FIPS systems. Please ensure that your configuration and application infrastructure are prepared for these restrictions before you update your FIPS system to this release.
- The Progress LoadMaster FOM operates at OpenSSL Security Level 1, which
corresponds to a minimum of 80 bits of security. Any keys, ciphers, etc., offering
below 80 bits of security are prohibited. Please specifically note the following:
- RSA keys 1024 bits long or less are prohibited.
- DSA and DH keys shorter than 1024 bits and ECC keys shorter than 160 bits are prohibited.
- All export cipher suites are prohibited.
- SSL version 2 ciphers are prohibited.
- Any cipher suite using MD5 for the MAC is prohibited.
- Signatures using SHA1 and MD5 are prohibited.
- SSL3.0, TLS1.0, and TLS 1.1 ciphers are not available as required by the latest FIPS standards. They cannot be enabled in FIPS mode.
- DSA keys are limited to 2048 bits in FIPS mode.
- The cipher sets in FIPS mode include only the
following FIPS-compliant TLS 1.2 and TLS 1.3 ciphers:
- AES128-GCM-SHA256
- AES128-SHA256
- AES256-GCM-SHA384
- AES256-SHA256
- DHE-DSS-AES128-GCM-SHA256
- DHE-DSS-AES128-SHA256
- DHE-DSS-AES256-GCM-SHA384
- DHE-DSS-AES256-SHA256
- DHE-RSA-AES128-GCM-SHA256
- DHE-RSA-AES128-SHA256
- DHE-RSA-AES256-GCM-SHA384
- DHE-RSA-AES256-SHA256
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-SHA256
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-SHA384
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384