FIPS 140-2 Compliance in SSL/TLS, SSH, SMIME and Cloud Components

Requirements: One of the following libraries, but only for the specific OS/language combinations listed below.

Additionally, the Java edition requires Bouncy Castle FIPS to be downloaded and installed separately; for more information see the Java details below.

The following table lists the current language, OS and library FIPS compatability

Windows macOS/Linux
.NET Framework
.NET Core, .NET Standard
C++, Python, Delphi, PHP
Java
JavaScript, Node.js

Contents

FIPS 140-2 Compatability

FIPS-compliant algorithms in IPWorks SSL and IPWorks SSH utilize the underlying operating system's certified APIs. Java editions, regardless of OS, utilize Bouncy Castle FIPS, while all the other Windows editions make use of Microsoft security libraries.

Using FIPS-compliant Libraries

C++

FIPS mode can be enabled in the C++ editions by setting the UseFIPSCompliantAPI configuration setting. This is a static setting which applies to all instances of all components of the toolkit within the process. It is recommended to enable or disable this setting once before the component has been used to establish a connection. Enabling FIPS while an instance of the component is active and connected may result in unexpected behavior.

For example:

Component.Config("UseFIPSCompliantAPI=true");

Note that this setting is only applicable on Windows.

.NET

FIPS compliance applies to all of the .NET binaries in our libraries, but only on Windows. FIPS mode can be enabled in the .NET editions by setting the UseFIPSCompliantAPI configuration setting. This is a static setting which applies to all instances of all components of the toolkit within the process. It is recommended to enable or disable this setting once before the component has been used to establish a connection. Enabling FIPS while an instance of the component is active and connected may result in unexpected behavior.

For example:

Component.Config("UseFIPSCompliantAPI=true");

Note that this setting is only applicable on Windows.

Java

The Java editions of IPWorks SSL and IPWorks SSH require installation of the FIPS certified Bouncy Castle library regardless of the target operating system. This can be downloaded from https://www.bouncycastle.org/fips-java/. Only the "Provider" library is needed. The jar file should then be installed in a JRE search path.

FIPS mode can be enabled in the Java editions by setting the UseFIPSCompliantAPI configuration setting. This is a static setting which applies to all instances of all components of the toolkit within the process. It is recommended to enable or disable this setting once before the component has been used to establish a connection. Enabling FIPS while an instance of the component is active and connected may result in unexpected behavior.

In the application where the component will be used the following classes must be imported:

import java.security.Security; import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;

The Bouncy Castle provider must be added as a valid provider and must also be configured to operate in FIPS mode:

System.setProperty("org.bouncycastle.fips.approved_only","true"); Security.addProvider(new BouncyCastleFipsProvider());

When UseFIPSCompliantAPI is true, SSL enabled classes can optionally be configured to use the TLS Bouncy Castle library. When SSLProvider is set to sslpAutomatic (default) or sslpInternal an internal TLS implementation is used, but all cryptographic operations are offloaded to the BCFIPS provider in order to achieve FIPS compliant operation. If SSLProvider is set to sslpPlatform the Bouncy Castle JSSE will be used in place of the internal TLS implementation.

To enable the use of the Bouncy Castle JSSE take the following steps in addition to the steps above. Both the Bouncy Castle FIPS provider and the Bouncy Castle JSSE must be configured to use the Bouncy Castle TLS library in FIPS mode. Obtain the Bouncy Castle TLS library from https://www.bouncycastle.org/fips-java/. The jar file should then be installed in a JRE search path.

In the application where the component will be used the following classes must be imported:

import java.security.Security; import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider; //required to use BCJSSE when SSLProvider is set to sslpPlatform import org.bouncycastle.jsse.provider.BouncyCastleJsseProvider;

The Bouncy Castle provider must be added as a valid provider and must also be configured to operate in FIPS mode:

System.setProperty("org.bouncycastle.fips.approved_only","true"); Security.addProvider(new BouncyCastleFipsProvider()); //required to use BCJSSE when SSLProvider is set to sslpPlatform Security.addProvider(new BouncyCastleJsseProvider("fips:BCFIPS")); //optional - configure logging level of BCJSSE Logger.getLogger("org.bouncycastle.jsse").setLevel(java.util.logging.Level.OFF); //configure the class to use BCJSSE component.setSSLProvider(1); //platform component.config("UseFIPSCompliantAPI=true"); Note: TLS 1.3 support requires the Bouncy Castle TLS library version 1.0.14 or later.

After the above configuration the component can be configured to use the FIPS compliant implementation like so:

Component.Config("UseFIPSCompliantAPI=true");

Licensing

Enabling FIPS-compliance requires a special license; please contact sales@nsoftware.com for details.

We appreciate your feedback.  If you have any questions, comments, or suggestions about this article please contact our support team at kb@nsoftware.com.