FIPS module limitations

Context

As of Blue Cedar 3.21.1, the FIPS module is based on OpenSSL. This change affects some functionality on the gateway.

Known issues

Note these limitations:

  • Certificate enrollment is only tested and supported using using Microsoft NDES 2012.

  • Microsoft NDES 2008 does not work due to its use of obsolete cryptographic algorithms that are not supported by the FIPS module.

  • Rotating passwords in MS NDES (all versions) do not work when FIPS is enabled. Single passwords work fine. Rotating password support requires the configuration of a service account with associated password, which causes an NTLM authentication handshake with a dependency on a hash algorithm (MD5) that is not supported in FIPS mode.

  • The FIPS module cannot handle identity certificates encrypted using RC2. The PKCS7 data embedded in base-64 encoded PKCS12 cannot be parsed if it is encrypted with RC2. Most customer certificates issued by a certificate authority are not expected to be impacted.