What OpenSSL version is Fireware using?

Bruce_BriggsBruce_Briggs
edited December 2022 in Firebox - Other

I was looking at FIPS for Fireware, and I see "Fireware v12.3.1 is the latest FIPS-certified version of Fireware. In Fireware v12.4 and higher, Fireware uses a version of OpenSSL that does not support FIPS 140-2."

FIPS Support in Fireware
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/overview/fireware/fips_about_c.html

However, it looks like OpenSSL V3.0 now has FIPS certification:

OpenSSL FIPS 140-2 Validation Certificate Issued
https://www.openssl.org/blog/blog/2022/08/24/FIPS-validation-certificate-issued/

So, what OpenSSL version is Fireware using?
And are there ongoing plans for the latest Fireware versions to be able to run in FIPS mode?

Best Answers

  • james.carsonjames.carson Moderator, WatchGuard Representative
    Answer ✓

    Hi Bruce,

    Fireware uses 1.1.1n at this current point in time. (As of 12.8 Update 1)

    FIPS certification is a bit of a process and effectively freezes at the version number that the firewall was summitted with. It's unlikely that the older firewalls that were previously certified will be re-submitted (by the time they're approved they won't be available to buy anymore.)

    The folks that run that program may be looking into v3.0 for 140.3. I'll have to look into that and get back to you.

    -James Carson
    WatchGuard Customer Support

  • Bruce_BriggsBruce_Briggs
    Answer ✓

    Thanks

  • james.carsonjames.carson Moderator, WatchGuard Representative
    Answer ✓

    @Bruce_Briggs
    I was able to find that work is being done on OpenSSL v3.0 (or better) for FIPS 140-3, but what will be included exactly will depend on feedback from the 3rd party testing and/or requirements set by the governmental bodies that form those standards.

    140-3 is likely still a bit of time off -- the process is intentionally methodical.

    All of our devices will likely support FIPS mode regardless as to if that specific model is certified or not.

    -James Carson
    WatchGuard Customer Support

Answers

  • JJNetJJNet

    It's also important to remember that OpenSSL 1.1.1 will become End of Life on 11th September 2023. Are Watchguard planning to migrate to OpenSSL 3.x before then or will they be relying on a premium support contract with OpenSSL to obtain ongoing security fixes for OpenSSL 1.1.1?

    https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @JJNet -- Like I mentioned above, work is in progress for OpenSSL 3.x. I do not have an exact date or version as to when this might be implemented.

    -James Carson
    WatchGuard Customer Support

  • Bruce_BriggsBruce_Briggs

    With V12.9.3, OpenSSL is at v1.1.1t

Sign In to comment.