Security

Contents

• Security

  • Functionality

  • Native packages

    • Supported distributions

    • OpenSSL versions

  • Universal packages

    • OpenSSL versions

  • FIPS 140

Functionality

PSRT server uses OpenSSL cryptographic modules functions for:

• Token generation

• TLS communication layer

• AES decryption (UDP)

Native packages

Supported distributions

• Ubuntu 22.04 LTS

OpenSSL versions

Native packages use system cryptographic modules only. If vulnerabilities are found in the actual versions, this can be fixed by applying system updates in the regular way.

Universal packages

OpenSSL versions

Default supplied universal binaries (both free and Enterprise version) use “vendored” (built-in) OpenSSL libraries. This allows to use the binaries without external dependencies, however may lead to security problems if vulnerabilities are found in the actual OpenSSL version.

The behaviour can be changed with compiling the server without “openssl-vendored” feature.

Custom PSRT Enterprise native binaries for particular OS/distributions can be provided for customers with active contracts by request.

FIPS 140

OpenSSL has a FIPS module, which is NIST-certified (#4282) as FIPS 140-2 complaint.

PSRT server can have FIPS-140 mode activated with the following:

• Make sure the native package is installed or compile PSRT to use system OpenSSL libraries.

• Note that PKCS12 can not be used for TLS layer in FIPS-140 mode due to cryptographic functions limitations. Use TLS certificates/keys only instead.

• Enable FIPS-140 mode in the operating system

  • Ubuntu Linux 22.04 LTS: https://documentation.ubuntu.com/security/compliance/fips/fips-overview/

  • Other distributions: refer to OS/distribution technical documentation for more info

• Activate FIPS-140 mode by putting fips: true option in the server config, The option tells the server to enable FIPS-140 mode even if it is disabled by OS defaults:

# ..........
proto:
    fips: true
# ..............

• Note that if FIPS-140 can not be enabled but the option is set, the server will not go online.

• Certain modules use AWS-LC cryptographic library which is also FIPS-140-certified <https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4631>_. FIPS mode in AWC-LC is enabled automatically during compilation.