THE INFORMATION IN THIS ARTICLE APPLIES TO:
- EFT, v7.2.8, v7.3.6 and later
Do you have a link to the certificate for your FIPS ciphers?
Globalscape EFT leverages the OpenSSL FIPS Object Module 2.0 for all of its cryptographic functions while in FIPS mode. This module has been repeatedly certified by multiple organizations (such as cert #2839 and others), and by extension, can be assumed to retain its FIPS-validated status no matter which organization or product adopts the module for its own use, when the module is used in its original (unaltered) form.
The FIPS module is distributed as a tar.gz source archive. The security policy document then contains sha-1 digest (which we check manually after downloading) and the exact steps to unpack and build the module. Our own build scripts follow the document to the letter, and this is why we can claim that we use a certified module. This is why we use gunzip.exe instead of the tools built into Windows and instead build the module using Visual Studio 2010. This is what they said should be used.
The module itself contains tests that it runs each time it is loaded and initialized. The tests are sealed from outside code (including our EFT code and the non-certified parts of OpenSSL). During build the module is hashed in memory and the signature becomes hard-coded into it. The signature is verified each time we load the module. The tests include some other tests of algorithms. The test inputs and outputs, however, are sealed. That is, we don’t modify the module, and it has internal tests to make sure it wasn’t modified afterwards.
This is all described in the security policy document that is also validated by NIST found here https://www.openssl.org/docs/fips/SecurityPolicy-2.0.16.pdf