Enabling FIPS Compliance

Starting with 15.7 SP120, by default, Client libraries do not enable strict FIPS compliance; the application should enable compliance.

OpenSSL in FIPS mode is strictly controlled by OpenSSL security. Therefore, before enabling FIPS compliance on the client libraries, ensure that the Server SSL Certificates comply with the FIPS requirements. Otherwise, connections to the server fail when FIPS mode is enabled.

This also means that some certificates that worked with the Certicom FIPS module may no longer work when using OpenSSL.

FIPS 140-2 requirements for Server SSL Certificates:

The MD5 algorithm is not FIPS 140-2 compliant; you must replace MD5 with FIPS compliant algorithm.
Private keys must be in pkcs8 format and encrypted with an OpenSSL FIPS 140-2 compliant algorithm.
If you use RSA encryption algorithms for the digital signature, the RSA key size must be at least 1024 bits.

See the Adaptive Server Enterprise SP60 New Features Guide for more details.

Enabling FIPS Compliance in ODBC, OLE DB, and ADO.NET Drivers
To enable or disable FIPS mode in OpenSSL, a new connection property, EnableFIPS, has been added to ODBC, OLE DB, and ADO.NET drivers.
Enabling FIPS Compliance in Open Client and Open Server
You can enable FIPS 140-2 compliance in Open Client and Open Server.
Enabling FIPS Compliance in Perl, Python, and PHP
You can enable FIPS 140-2 compliance in Perl, Python, and PHP.

Parent topic: OpenSSL in ODBC, OLE DB, ADO.NET, Open Client, and Open Server