Prior to the release of ConfD 7.2, if ConfD users were developing FIPS 140-2 compliant ConfD applications, they had to come up with their own solution or by following the one described in the first version of my App Note on ConfD and High-Security Applications. With the recent upgrade to Erlang OTP 20 inside ConfD 7.2, ConfD has introduced support of the FIPS mode feature. You can now use all of the cryptographic features that are built into ConfD by just turning on the FIPS mode feature in confd.conf and rebuilding both crypto.so and libconfd.so with a FIPS capable version of libcrypto from OpenSSL of your choice. This new feature has significantly simplified the work needed to allow ConfD applications to be sold into markets that have FIPS 140-2 requirements.
The new version of my application note describes how to set up ConfD to run in FIPS mode. It also describes a simple test that you can run to verify that it is running properly in FIPS mode. The approach as outlined in the first version of my app note has now been marked as deprecated.
I strongly recommend that everyone with FIPS 140-2 requirements should upgrade to ConfD 7.2.1 in order to take advantage of the FIPS mode feature. For those who can’t do the ConfD upgrade but still have a FIPS 140-2 requirement, I would like to point out that it is no longer suggested to remove crypto.so from your ConfD’s runtime environment if you are following the old approach of removing the libcrypto dependency from ConfD. Download the new version of my application note to get far more detail.