Securing the Gateway
The faspio Gateway uses Transport Layer Security (TLS) to secure your TCP connections and initiate key exchange for the FASP protocol.
Configuring TLS
When two Gateways connect to each other, they use Mutual TLS (mTLS) authentication to verify that the traffic is secure and trusted in both directions. mTLS requires a certificate chain, a certificate key, and a verification key on both servers. The following sample is a configuration of two servers that are configured with mTLS:
GW1 Configuration (Client) | GW2 Configuration (Server) |
---|---|
|
|
- cert_chain
- The relative path to the certificate chain signed by a valid CA.
- cert_key
- The relative path to the private key that matches the cert chain.
- verify
- The relative path to the verification key that verifies the other server's chain is signed by the correct CA.
- host_verify_enabled
- Optionally enforce extra security by requiring that the
host
field defined in the client'sbridge.forward
section matches the Common Name in the server's SSL certificate.
Disabling TLS
To disable TLS, add tls_enabled = false
to the section for which connection you
want to disable TLS. For example, if your faspio Gateway servers and HSTS servers that are run in
the same private and secure network, you might consider disabling TLS for those sections only:
GW1 Configuration (Client) | GW2 Configuration (Server) |
---|---|
|
|
Enabling FIPS
In faspio Gateway, FIPS (Federal Information Processing Standards) is disabled by default. To
enable FIPS, set the fips_enabled
flag to true in the
/usr/local/etc/faspio/gateway.toml file. Additionally, you can specify a custom
path to the OpenSSL configuration file using the openssl_config
option in the
[general]
section.
# /usr/local/etc/faspio/gateway.toml
[general]
fips_enabled = true
openssl_config = "/tmp/openssl.cnf"
- Set the
fips_enabled
flag to true in thegateway.toml
file:# /usr/local/etc/faspio/gateway.toml [general] fips_enabled = true
- Start the gateway.
- Set the
fips_enabled
flag to true in thegateway.toml
file:# /usr/local/etc/faspio/gateway.toml [general] fips_enabled = true
- Place your custom
openssl.cnf
file in a location that is accessible to the system user. For example /tmp/openssl.cnf. Include the path in thegateway.toml
file:$ cat /usr/local/etc/faspio/gateway.toml [general] ... fips_enabled = true openssl_config = "/tmp/openssl.cnf"
- Move the
fipsmodule.cnf
file from its default installation location /usr/local/etc/faspio/fipsmodule.cnf to a new location that is accessible to the system user. For example /tmp/fipsmodule.cnf. Add the full path to theopenssl.cnf
file:$ grep "^\.include" /tmp/openssl.cnf .include /tmp/fipsmodule.cnf
- Start the gateway.