Important News:SafeLogic Announces General Availability of CryptoComply BoringCrypto! Read the announcement.

Request Consultation
Request Consultation

CryptoComply Cryptography Software

Key Capabilities

Entropy

Extended Support

FIPS 140

Cryptography Compliance

Post-Quantum Cryptography

Industries

Use Cases





NGINX FIPS 140-3 Implementation with CryptoComply Core 


Deploy NGINX TLS termination (edge / reverse proxy / gateway) on a FIPS 140-3 validated cryptographic software foundation—with a repeatable build path and auditable verification.

Request Technical Walkthrough

 

 

Developer Summary:

What it is: NGINX built so TLS operations rely on a FIPS-validated cryptographic software foundation (OpenSSL-compatible via CryptoComply Core).

What changes?  Build NGINX from source using the CryptoComply-provided OpenSSL headers/libraries, and ensure the runtime configuration enables the FIPS provider.

How to verify: Use nginx -V to confirm it’s built with the CryptoComply OpenSSL version and validate the configuration with nginx -t.

What you get:  Validation artifacts, build provenance, and configuration guidance for audit workflows.

Compatibility Notes

  • No built-in “FIPS switch.” FIPS behavior is not enforced at the application level; it depends on OS policy and OpenSSL configuration.
  • TLS is negotiated. Regulated deployments typically constrain allowed suites/groups to match program policy.
  • Verification matters. Confirm the linked OpenSSL version (nginx -V) and keep build/configuration provenance for audits.
NGINX-logo-small

Talk to an Expert

Quickstart: Build NGINX FIPS with CryptoComply Core

This workflow builds NGINX from source and links it against SafeLogic’s CryptoComply Core OpenSSL libraries, providing a validated cryptographic foundation.

Prerequisites

nodejs-fips-use-case-who-is-it-for

Log-In to the Portal

Set environment variables


export OPENSSL_DIR=/usr/local
export LD_LIBRARY_PATH=/usr/local/lib:$LD_LIBRARY_PATH
export CPPFLAGS="-I/usr/local/include"
export LDFLAGS="-L/usr/local/lib"


Update the dynamic linker


export OPENSSL_CONF=/usr/local/ssl/openssl.cnf
echo "/usr/local/lib" > /etc/ld.so.conf.d/openssl.conf
ldconfig


Download NGINX source + build


wget https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz
tar -xzf nginx-${NGINX_VERSION}.tar.gz
cd nginx-${NGINX_VERSION}

./configure \
  --prefix=/usr/local/nginx \
  --sbin-path=/usr/local/sbin/nginx \
  --conf-path=/usr/local/nginx/conf/nginx.conf \
  --pid-path=/var/run/nginx.pid \
  --lock-path=/var/run/nginx.lock \
  --with-http_ssl_module \
  --with-http_v2_module \
  --with-http_realip_module \
  --with-stream \
  --with-stream_ssl_module \
  --with-pcre-jit \
  --with-cc-opt="-I/usr/local/include" \
  --with-ld-opt="-L/usr/local/lib -Wl,-rpath,/usr/local/lib"

make -j"$(nproc)"
make install


Verify the build

Basic checks


nginx -v
nginx -t


Confirm the CryptoComply OpenSSL version is in use


nginx -V


Expected example: output shows built with OpenSSL 3.5.5+SL_CC-3.0.0 … (not the system OpenSSL).

Want the Automated Scripts?

SafeLogic provides OS-specific automated build scripts in the portal-delivered use case package to perform the same steps and automatically update openssl.cnf to ensure the FIPS provider is enabled.

Talk to an Expert

Technical Overview

Validated cryptographic foundation, negotiated algorithms, and evidence requirements

Component / Area Default Behavior (standard NGINX) SafeLogic-Approved Approach Notes / Compliance Impact

Cryptographic Foundation

NGINX commonly links against system OpenSSL

 CryptoComply Core (OpenSSL-compatible) Standardizes TLS cryptographic operations on a validated foundation.

TLS Negotiation

Broad suites/groups depending on defaults

 Constrain per program policy Prevents negotiation of disallowed options in regulated contexts.

Verification

“It’s TLS-enabled”

 nginx -V shows CryptoComply OpenSSL + nginx -t validates config Produces verifiable proof for audits and troubleshooting.

Automation

Manual steps vary by team Portal-delivered scripts + Docker option Improves repeatability; scripts update openssl.cnf to enable the FIPS provider.

The Compliance Gap with Standard NGINX

NGINX does not include a built-in “FIPS switch,” and compliance isn’t enforced at the application level. In practice, whether NGINX is running in a FIPS-ready way depends on OS-level FIPS enablement, the OpenSSL cryptographic implementation it’s linked against, and correct configuration of both OpenSSL and NGINX—so simply enabling TLS does not guarantee compliance.

How SafeLogic closes the gap: Because NGINX depends on OpenSSL, the practical path is to standardize the OpenSSL layer on validated cryptographic software (CryptoComply Core) and ship with verifiable configuration and provenance for auditors.

Talk to an Expert

Access, Rollout, and Evidence

nodejs-fips-140-access-rollout-evidence

 

How Customers Access it

Customers access required build artifacts through SafeLogic’s Customer Portal and integrate them into internal artifact repositories and CI/CD pipelines.

  • Delivery formats: pre-built artifacts and/or build toolchain integration (based on workflow)
  • Supported platforms (OS/architectures): Portal-provided builds across operating systems and CPU architectures (customers see what they're licensed for)
  • Selecting the right build: locate artifacts by product/version/operating system/architecture and pull into internal repositories/pipelines

Need the exact OS/architecture matrix for your environment?

Talk to an Expert

Typical Rollout

Proof of Concept

Confirm where NGINX terminates TLS (edge, ingress, gateway), your policy constraints, and target platforms.

Integration

Build NGINX against CryptoComply Core (manually or via scripts) and integrate it into CI/CD and runtime baselines.

Verification

Confirm build/version output and configuration validity (nginx -V, nginx -t).

Production

Deploy through standard rollout/monitoring with repeatable build pipelines.

Evidence for Auditors

  • Validation artifacts for the underlying validated cryptographic software (as applicable)
  • Build provenance (versions/config flags) and repeatable build description
  • Configuration/operation guidance aligned to your program requirements

cryptography-security-policy-fips-140-validation-artifacts

Frequently Asked Questions (NGINX & FIPS)

Is this interoperable with standard TLS clients?

Generally, yes—TLS remains standard. Interoperability depends on the suites/groups you constrain to match regulated policy.

Does NGINX “come FIPS validated”?

No. FIPS 140 validation applies to the underlying cryptographic implementation. This use case standardizes the OpenSSL layer and provides verification and provenance.

How do we verify NGINX is using the right OpenSSL?

Run nginx -V and confirm it reports the CryptoComply OpenSSL version (e.g., OpenSSL 3.5.5+SL_CC-3.0.0).

What do the automated scripts do that manual steps don’t?

They perform the same build steps and automatically update openssl.cnf to ensure the FIPS provider is enabled.

What is the impact of the September 2026 FIPS deadline?

NIST will move all FIPS 140-2 certificates to the "Historical List" on September 21, 2026. For NGINX teams, this means any new procurement or major FedRAMP updates must use FIPS 140-3 validated cryptographic software. SafeLogic’s approach is designed to bridge this transition seamlessly.

Explore More Use Cases

Apache FIPS
Apache FIPS

Apache FIPS
node-js-logo-2
node-js-logo-2

Node.js FIPS
wireguard-logo-1
wireguard-logo-1

Wireguard-go FIPS

Ready to Run NGINX in Regulated Environments?

Get guidance on approved TLS policy constraints, supported platforms, and the evidence your program requires. Call us at 844-436-2797 or complete the form below.