At wolfSSL, we are dedicated to 3rd party integration and have been improving our support for Nginx. wolfSSL now has tested patches for Nginx 1.13.8, 1.12.2 and other point releases.
Nginx builds with OpenSSL by default and this makes getting FIPS 140-2 compliance difficult. Compiling Nginx with wolfSSL is simple and we can help you through the validation process for your platform.
No code changes to Nginx are required for FIPS but make sure your configuration is set appropriately. This includes using:
- RSA with keys of 2048-bits or more
- ECC with P-256 or P-384
- Key exchange with (EC) Diffie-Hellman ephemeral over static
- Ciphers AES-128 or AES-256 in GCM over CBC mode
- Digest and MAC with SHA-256 or SHA-384
The recommended cipher suites are:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- DHE-RSA-AES128-GCM-SHA256
Nginx has enabled support for TLS 1.3 and this is also available with wolfSSL. Note that the new draft revision of SP 800-52 requires, for government-only applications, the use of TLS v1.2 and should be configured to use TLS v1.3. wolfSSL has been implementing the TLS v1.3 drafts and performed interoperability testing. We are on track to support the final release of the TLS v1.3 specification.