Kong · cloudjumpercat · Oct 24, 2023 · Oct 12, 2023 · Oct 24, 2023
@@ -7,9 +7,9 @@ content_type: reference
 The Federal Information Processing Standard (FIPS) 140-2 is a federal standard defined by the National Institute of Standards and Technology. It specifies the security requirements that must be satisfied by a cryptographic module. The FIPS {{site.base_gateway}} package is FIPS 140-2 compliant. Compliance means that the software has met all of the rules of FIPS 140-2, but has not been submitted to a NIST testing lab for validation.
 
 
-{{site.ee_product_name}} provides a FIPS 140-2 compliant package for **Ubuntu 20.04** {% if_version gte:3.1.x %}, **Ubuntu 22.04**, and **Red Hat Enterprise 8** {% endif_version %}. This package provides compliance for the core {{site.base_gateway}} product {% if_version gte:3.2.x %} and all out of the box plugins {% endif_version %}.
+{{site.ee_product_name}} provides a FIPS 140-2 compliant package for **Ubuntu 20.04** {% if_version gte:3.1.x %}, **Ubuntu 22.04** {% if_version gte:3.4.x %}, **Red Hat Enterprise 9** {% endif_version %}, and **Red Hat Enterprise 8** {% endif_version %}. This package provides compliance for the core {{site.base_gateway}} product {% if_version gte:3.2.x %} and all out of the box plugins {% endif_version %}.
 
-The package replaces the primary library in {{site.base_gateway}}, OpenSSL, with [BoringSSL](https://boringssl.googlesource.com/boringssl/), which at its core uses the FIPS 140-2 validated BoringCrypto for cryptographic operations.
+The package uses the OpenSSL FIPS 3.0 module OpenSSL to provide FIPS 140-2 validated cryptographic operations.
 
 {% if_version eq:3.0.x %}
 ## Installing the {{site.base_gateway}} FIPS compliant Ubuntu package

@@ -7,9 +7,9 @@ content_type: reference
 The Federal Information Processing Standard (FIPS) 140-2 is a federal standard defined by the National Institute of Standards and Technology. It specifies the security requirements that must be satisfied by a cryptographic module. The FIPS {{site.base_gateway}} package is FIPS 140-2 compliant. Compliance means that {{site.base_gateway}} only uses FIPS 140-2 approved algorithms while running in FIPS mode, but the product has not been submitted to a NIST testing lab for validation.
 
 
-{{site.ee_product_name}} provides a FIPS 140-2 compliant package for **Ubuntu 20.04**, **Ubuntu 22.04**, and **Red Hat Enterprise 8**. This package provides compliance for the core {{site.base_gateway}} product{% if_version gte:3.2.x %} and all out of the box plugins{% endif_version %}.
+{{site.ee_product_name}} provides a FIPS 140-2 compliant package for **Ubuntu 20.04** {% if_version gte:3.1.x %}, **Ubuntu 22.04** {% if_version gte:3.4.x %}, **Red Hat Enterprise 9** {% endif_version %}, and **Red Hat Enterprise 8** {% endif_version %}. This package provides compliance for the core {{site.base_gateway}} product {% if_version gte:3.2.x %} and all out of the box plugins {% endif_version %}.
 
-The package replaces OpenSSL, the primary SSL library in {{site.base_gateway}}, with [BoringSSL](https://boringssl.googlesource.com/boringssl/), which at its core uses the FIPS 140-2 validated BoringCrypto for cryptographic operations.
+The package uses the OpenSSL FIPS 3.0 module OpenSSL to provide FIPS 140-2 validated cryptographic operations.
 
 ## FIPS implementation
 ### Password hashing
@@ -18,8 +18,8 @@ The following table describes how {{site.base_gateway}} uses key derivation func
 
 | Component | Normal mode | FIPS mode | Notes |
 |-----------|-------------|-----------|-------|
-| core/rbac | bcrypt | PBKDF2 <sup>1</sup> | PBKDF2 in BoringSSL isn't FIPS validated. |
-| plugins/oauth2 <sup>2</sup> | Argon2 or bcrypt (when `hash_secret=true`) | Disabled (`hash_secret` can’t be set to `true`) | PBKDF2 in BoringSSL isn't FIPS validated. |
+| core/rbac | bcrypt | PBKDF2 <sup>1</sup> | Compliant via OpenSSL 3.0 FIPS provider  |
+| plugins/oauth2 <sup>2</sup> | Argon2 or bcrypt (when `hash_secret=true`) | Disabled (`hash_secret` can’t be set to `true`) | Compliant via OpenSSL 3.0 FIPS provider |
 | plugins/key-auth-enc <sup>3</sup> | SHA1 | SHA256 | SHA1 is read-only in FIPS mode. |
 
 {:.note .no-icon}
@@ -48,6 +48,10 @@ The following table explains where cryptographic algorithms are used for non-cry
 | core/declarative_config/uuid | UUIDv5 (namespaced SHA1) | UUIDv5 (namespaced SHA1) | Used to generate a unique identifier. |
 | core/declarative_config/config_hash and core/hybrid/hashes | MD5 | MD5 | Used to generate a unique identifier. |
 
+{% if_version gte:3.5.x %}
+| core/kong_request_id | rand(3) | rand(3) | The RNG isn’t used for cryptographic purposes. |
+{% endif_version %}
+
 ### SSL client
 
 FIPS 140-2 only mentioned SSL server, which is already supported in {{site.base_gateway}} FIPS 3.0. FIPS specification isn't designated for SSL clients, so there isn't specific handling of these in {{site.base_gateway}}.
@@ -57,4 +61,4 @@ This includes:
 {% if_version lte:3.3.x %}
 * Using Lua to talk in HTTPS, PostgreSQL SSL, and Cassandra SSL
 {% endif_version %}
-* Using an upstream that proxies in HTTPS
+* Using an upstream that proxies in HTTPS
@@ -8,22 +8,22 @@ This reference lists which {{site.base_gateway}} plugins are FIPS 140-2 complian
 
 | Plugin  | Subcomponent Compliance (if applicable)         | FIPS Compliant    | Notes |
 |-------|-------------|--------|-----|
-| jwe-decrypt | N/A | Yes | Compliant via BoringSSL |
+| jwe-decrypt | N/A | Yes | Compliant via OpenSSL 3.0 FIPS provider |
 
 {% if_version gte: 3.2.x %}
-| openid-connect | All | Yes | Compliant via BoringSSL |
-| jwt-signer | All | Yes | Compliant via BoringSSL |
-| key-auth-enc | N/A | Yes | Compliant via BoringSSL |
+| openid-connect | All | Yes | Compliant via OpenSSL 3.0 FIPS provider |
+| jwt-signer | All | Yes | Compliant via OpenSSL 3.0 FIPS provider |
+| key-auth-enc | N/A | Yes | Compliant via OpenSSL 3.0 FIPS provider |
 {% endif_version %}
 
-| hmac-auth | N/A | Yes | Compliant via BoringSSL |
-| ldap-auth-advanced | N/A | Yes | Compliant via BoringSSL |
-| proxy-cache | N/A | Yes | Compliant via BoringSSL |
-| proxy-cache-advanced | N/A | Yes | Compliant via BoringSSL |
-| graphql-proxy-cache-advanced | N/A | Yes | Compliant via BoringSSL |
-| mtls-auth | N/A | Yes | Compliant via BoringSSL |
-| oauth2 | N/A | Yes | Compliant via BoringSSL |
-| basic-auth | N/A | Yes | Compliant via BoringSSL |
-| saml | N/A | Yes | Compliant via BoringSSL |
-| jwt | N/A | Yes | Compliant via BoringSSL |
+| hmac-auth | N/A | Yes | Compliant via OpenSSL 3.0 FIPS provider |
+| ldap-auth-advanced | N/A | Yes | Compliant via OpenSSL 3.0 FIPS provider |
+| proxy-cache | N/A | Yes | Compliant via OpenSSL 3.0 FIPS provider |
+| proxy-cache-advanced | N/A | Yes | Compliant via OpenSSL 3.0 FIPS provider |
+| graphql-proxy-cache-advanced | N/A | Yes | Compliant via OpenSSL 3.0 FIPS provider |
+| mtls-auth | N/A | Yes | Compliant via OpenSSL 3.0 FIPS provider |
+| oauth2 | N/A | Yes | Compliant via OpenSSL 3.0 FIPS provider |
+| basic-auth | N/A | Yes | Compliant via OpenSSL 3.0 FIPS provider |
+| saml | N/A | Yes | Compliant via OpenSSL 3.0 FIPS provider |
+| jwt | N/A | Yes | Compliant via OpenSSL 3.0 FIPS provider |
 | All other Kong Inc. plugins | N/A | N/A | No cryptographic operations involved |