Security
Contents
Functionality
PSRT server uses OpenSSL cryptographic modules functions for:
Token generation
TLS communication layer
AES decryption (UDP)
Native packages
Supported distributions
OpenSSL versions
Native packages use system cryptographic modules only. If vulnerabilities are found in the actual versions, this can be fixed by applying system updates in the regular way.
Universal packages
OpenSSL versions
Default supplied universal binaries (both free and Enterprise version) use “vendored” (built-in) OpenSSL libraries. This allows to use the binaries without external dependencies, however may lead to security problems if vulnerabilities are found in the actual OpenSSL version.
The behaviour can be changed with compiling the server without “openssl-vendored” feature.
Custom PSRT Enterprise native binaries for particular OS/distributions can be provided for customers with active contracts by request.
FIPS 140
OpenSSL has a FIPS module, which is NIST-certified (#4282) as FIPS 140-2 complaint.
PSRT server can have FIPS-140 mode activated with the following:
Make sure the native package is installed or compile PSRT to use system OpenSSL libraries.
Note that PKCS12 can not be used for TLS layer in FIPS-140 mode due to cryptographic functions limitations. Use TLS certificates/keys only instead.
Enable FIPS-140 mode in the operating system
Ubuntu Linux 20.04 LTS: https://ubuntu.com/security/certifications/docs/fips-enablement
Other distributions: refer to OS/distribution technical documentation for more info
Activate FIPS-140 mode by putting fips: true option in the server config, The option tells the server to enable FIPS-140 mode even if it is disabled by OS defaults:
# ..........
proto:
fips: true
# ..............
Note that if FIPS-140 can not be enabled but the option is set, the server will not go online.