After a long wait (view the previous blog post), the AlmaLinux 9.2 kernel received FIPS validation making it the first software implementation to receive a FIPS 140-3 ESV certificate using SHA3-256 as a conditioner. It’s also the first EL9 distribution to get a FIPS 140-3 certificate for the kernel. View the certificate here.
What is FIPS?
When it comes to securing sensitive data, cryptographic standards play a crucial role. One of the most influential standards in this realm is FIPS, or Federal Information Processing Standards.
FIPS 140-3 is not just a Federal benchmark, it’s recognized and respected worldwide, for instance, the European Union’s NIS 2 Directive which focuses on network and information security mandates the use of up-to-date encryption and cryptography leveraging established standards. FIPS standards undergo extensive evaluations to ensure that cryptographic algorithms and implementations meet the highest security requirements, making it the gold standard for secure cryptographic practices across the globe.
Anyone who uses AlmaLinux 9.2 can achieve FIPS compliance for FREE, the only thing you need to do is download the packages from the TuxCare repo (docs) and enable FIPS mode:
dnf -y install https://repo.tuxcare.com/fips/tuxcare-fips-release-latest-9.noarch.rpm
dnf -y install openssl-3.0.7-20.el9_2.tuxcare.1 kernel-5.14.0-284.11.1.el9_2.tuxcare.5
fips-mode-setup --enable
reboot
This allows people with less knowledge about cryptography to configure a strong baseline for implementing secure systems.
Note: AlmaLinux 9.2 is no longer supported by the Foundation, and has been out of support since AlmaLinux 9.3 was released in November of 2023. Backporting security fixes to older versions is out of scope for the foundation, but Tuxcare does provide that service to their customers. Since FIPS is primarily required by institutions that like support contracts, we strongly recommend anyone who’s looking for it, talk to them.
Testing
To test this, we can setup an HTTP server, for example Apache - if you’re interested, we have a comprehensive guide on setting up a LAMP server on AlmaLinux, but for now we can just run:
dnf -y install httpd mod_ssl
systemctl start httpd
If you were to scan the server using nmap, you would see something like this:
For reference, with FIPS mode disabled you get the weaker TLSv1.2 and non-compliant ciphersuites using Edwards curves, SHA1 hashes and ChaCha20-Poly1305 ciphers:
Another way to check your ciphers strength is to look them up on the Ciphersuite Info website or using the sslscan tool.
Whats next?
Simon John, the Security Certification Manager at CloudLinux has let me know that after AlmaLinux 9.5 gets released he is going to start working on the 9.6 validation, which hopefully will materialize faster than 9.2 due to improvements in the CMVP process aimed at reducing the backlog.
Stop the presses!
After publication of this blog post, we received news that the OpenSSL validation has also been added to the Active list with certificate number #4823.
If you’re passionate about exploring new knowledge or sharing what you know, come join us in the AlmaLinux Security Chat. It’s a great place to ask questions, exchange information, or just have a security-related chat. 😊
