Access Server FIPS Compliance
How to run your corporate VPN, Access Server ,so it's FIPS compliant.
FIPS and Access Server
Federal Information Processing Standard (FIPS) 140-2 specifies the security requirements for cryptographic modules that protect sensitive information. You can install Access Server on various operating systems that the National Institute of Standards and Technology (NIST) Cryptographic Module Validation Program (CMVP) has assessed for their cryptographic OpenSSL library.
Access Server uses the cryptographic module, which implements the cryptographic primitives of the OpenSSL library provided in the operating system. With default settings, Access Server works within the restrictions that FIPS imposes. If FIPS mode is enabled on the Linux OS, unauthorized cryptographic functions aren't allowed for use in OpenSSL and thus Access Server.
Access Server enforces these restrictions, meaning OpenVPN clients can't connect using unsupported ciphers. As a result, optional features such as ChaCha20-Poly1305 data encryption are unavailable in a FIPS environment. Access Server is therefore compliant with FIPS restrictions.
If you use Access Server on a Linux OS with FIPS mode enabled, it will be FIPS compliant, and all connection clients must use FIPS-approved ciphers.
Feature / Behavior | Default Mode (FIPS disabled) | FIPS Mode Enabled |
|---|---|---|
Cryptographic backend | OpenSSL (OS provided) | OpenSSL with FIPS enforcement |
Use of non-FIPS ciphers | Allowed (e.g., ChaCha20-Poly1305) | Not allowed |
Client cipher enforcement | Clients can use any supported cipher | Only FIPS-approved ciphers accepted |
Optional features | All features compatible | Some features, like ChaCha20-Poly1305, aren't compatible |
FIPS compliance | Not enforced | Fully FIPS-compliant (when OS is in FIPS mode) |
Operating system recommendation
Usually, we recommend Ubuntu LTS because it has a good balance between lifecycle support and reasonably up-to-date software. However, if you require FIPS, we recommend using the Red Hat Enterprise Linux operating system instead, preferably with FIPS mode enabled at installation time.
How to enable FIPS mode
Running Access Server in FIPS mode requires enabling this mode in the operating system. The method varies per operating system. We reference external official documentation explaining how to enable it on the particular operating system:
Red Hat — How can I make RHEL FIPS compliant?
Ubuntu Pro (or Advantage) — Enabling FIPS with the pro tool.
Notes
We tested the operating systems listed above with Access Server in FIPS mode. While you might configure other operating systems to run in FIPS mode, we haven’t explicitly tested them with Access Server.
Ubuntu LTS is supported but requires either the Ubuntu Pro version or the Ubuntu Advantage service in order to install the software necessary to support FIPS mode. On some IaaS providers, you can find a specialized deployment image.
The warning gpg: out of core handler ignored in FIPS mode may be shown during installation. When the PGP key for verifying signatures of packages from the Access Server software repository is added, GPG may complain with this message as it cycles through existing keys that may not meet FIPS requirements. However, the new key for the Access Server repository will install correctly, and the installation can proceed normally.
The warning UserWarning: OpenSSL FIPS mode is enabled. Can't enable DRBG fork safety. may be shown during installation or when setting a local account password on the command line. This warning can appear on Red Hat 7, and Amazon Linux 2. This is a benign warning, and the program will function correctly despite this warning. Access Server 2.14 and newer no longer support Amazon Linux 2.