Is Nginx open source FIPS compliant?

Question

I am investigating FIPS compliance for our platform. nginx is one of the components and we use nginx 1.15.1. I found the documentation about nginx plus being FIPS compliant.

When NGINX Plus is executed on an operating system where a FIPS‑validated OpenSSL cryptographic module is present and FIPS mode is enabled, NGINX Plus is compliant with FIPS 140-2 with respect to the decryption and encryption of SSL/TLS and HTTP/2 traffic.

https://docs.nginx.com/nginx/fips-compliance-nginx-plus/

Does this apply to open source nginx as well? I did not find any documentation for the open source version. I have posted the query in nginx forum as well but checking it here as well in case folks have already done FIPS compliance with the open source version.

Answer 1

According to this blog post, it's not a "No" but more of a "We can't be sure" (emphasis mine):

NGINX tests and verifies that NGINX Plus operates correctly when it is run on a FIPS‑enabled OS that is running in FIPS mode. NGINX cannot make similar statements for NGINX Open Source...

https://www.nginx.com/blog/achieving-fips-compliance-nginx-plus/#FIPS-Compliance-with-NGINX-Open-Source

They can't make claims for the OS you compile on or the flags that you use to build. There's a lot going on in an OpenSSL build.

https://wiki.openssl.org/index.php/Compilation_and_Installation

And any deviation from the "trusted path" or "validated" build steps may invalidate your installation.

https://www.openssl.org/docs/fips/UserGuide-2.0.pdf

Answer 2

To add to @Anthony Mastrean's answer, you can totally use nginx open source and achieve FIPS compliance with FIPS 140-2 validated crypto modules - it's just that you have to do more work yourself. It mostly comes down to:

• configuring your OS in FIPS mode,
• using a NIST-blessed openssl version (the exact version that you use needs to be listed in the CMVP here: https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search?SearchMode=Basic&ModuleName=openssl&CertificateStatus=Active&ValidationYear=0)
  • there is no option of you compiling openssl, unless you want to pay NIST to test it and certify your build in the CMVP
• configuring the correct TLS protocol version, ciphers, etc.

If you want to pay nginx, their paid "plus" offering does some/most of this set up for you.

eg. for OS: https://aws.amazon.com/blogs/publicsector/enabling-fips-mode-amazon-linux-2/

eg. for Openssl: https://wiki.openssl.org/index.php/FIPS_mode_and_TLS