HAProxy community

HAProxy as a FIPs compliance


#1

Experts,

What needs to done on Haproxy part to enable it as FIPs compliance? Is there any specific configurations to enable the FIPs in HAproxy?

Thanks


#2

Regarding TLS/SSL in haproxy, FIPS compliance is directly dependent on OpenSSL, therefor refer to the OpenSSL FIPS documentation for this.

As far as I know, CentOS usually has FIPS enabled on their OpenSSL builds by default (at least, -fips always appears in the version string of OpenSSL on CentOS and therefor in the haproxy -vv output).

I don’t know whether FIPS also requires additional changes in the application (as opposed to just the openssl library). If that would be the case, haproxy would not support it (there is no specific FIPS related code in haproxy).

Please make sure you get authoritative information from somewhere, not just random opinions from guys on the Internet, we are talking regulatory compliance after all.


#3

Thanks Lukas. As far as i know OpenSSL itself is not validated for FIPS instead there is a separate software component called OpenSSL FIPS Object Module that is created for FIPS compliance. Also the FIPS compliance currenlty only supported for OpenSSL 1.0.1/1.0.2.

So another questions here is, do the latest Haproxy version (1.9) supported with OpenSSL 1.0.1/0.2?

Also, If you are saying there is no FIPS related code in HAproxy. So implementing the OpenSSL FIPS Object Module we can leverage Haproxy to be utilized as a FIPS compliance? To confirm the HTTPS part of Haproxy uses the OpenSSL module (correct me if I’m wrong?

Please ignore my typos :slight_smile:

Thanks


#4

I can confirm OpenSSL 1.0.1 and 1.0.2 is supported even in latest haproxy releases, and support will be there for - probably a long - time.

I have no idea.

Haproxy uses openssl for SSL/TLS encryption. Whether that’s enough to achieve FIPS compliance, I don’t know.


How to run HAProxy in FIPs Mode?