Skip to main content

Overview

Aviatrix version 9.0 transitions from FIPS 140-2 to FIPS 140-3. The FIPS 140-3 implementation uses the OpenSSL 3.x FIPS provider for cryptographic operations, replacing the OpenSSL 1.x FIPS module used in previous versions. Starting in version 9.0, the FIPS toggle at Settings > Configuration > General displays “FIPS 140-3”. For controller versions below 9.0, the toggle continues to display “FIPS 140-2”. For information about FIPS 140-2 (applicable to versions prior to 9.0), see the FIPS 140-2 reference page.

Upgrade Requirements for FIPS-Enabled Gateways

FIPS-enabled gateways require an image upgrade to move to version 9.0. A software upgrade is not supported and will fail.
If you attempt a software upgrade on a FIPS-enabled gateway to version 9.0, the upgrade fails with the following error:
FIPS mode is enabled, and this is an upgrade to 9.0. You must perform an image upgrade to enable FIPS 140-3.
The dry-run check detects this condition before the upgrade proceeds. Always run a dry-run check before upgrading FIPS-enabled gateways to version 9.0.

CA Certificate Rotation

Controllers originally initialized on version 7.1 or earlier generated 1024-bit RSA CA keys. The FIPS 140-3 TLS provider does not support 1024-bit keys.
If your Controller was originally initialized on version 7.1 or earlier, you must rotate to a new CA certificate before upgrading to version 9.0 with FIPS enabled. Failure to do so results in UserVPN TLS handshake failures.
For instructions on rotating your internal service CA, see Internal Service CA Rotation.

Per-Gateway FIPS Mode

Starting in version 9.0, FIPS mode is tracked per-gateway in addition to the global setting. Each gateway has a FIPS flag that indicates whether it was deployed with FIPS enabled. You can view the FIPS mode status for each gateway in the Gateway Details view in CoPilot.

VPN Client Compatibility

FIPS 140-3 gateways require OpenVPN clients running version 2.6.0 or later.
Older VPN clients that use legacy TLS settings may fail to connect to FIPS 140-3 gateways. Ensure all VPN clients are updated to OpenVPN 2.6.0 or later before enabling FIPS 140-3.
Clients running older versions of OpenVPN may encounter TLS handshake failures with the error “no suitable signature algorithm”. This occurs because the TLS 1.0 PRF with MD5+SHA1 is not supported under the FIPS 140-3 security policy.

Rollback Behavior

Rolling back a FIPS 140-3 enabled VPN gateway from version 9.0 reverts it to the standard (non-FIPS) OpenVPN container. This is expected behavior. After a rollback, FIPS mode is no longer active on the gateway. To re-enable FIPS 140-3, perform an image upgrade back to version 9.0.