OpenSSL and FIPS 140-2 Validation Status

The most recent open source based validation of a cryptographic module (Module) compatible with the OpenSSL libraries is v2.0.1, FIPS 140-2 certificate #1747. This Module is documented in the 2.0 User Guide. It substantially updates and improves the earlier v1.2 module, FIPS 140-2 certificate #1051, which is documented in the 1.2 User Guide.

Important Note: Due to new requirements introduced in 2013 the current v2.0 Module is no longer suitable as a reference for private label validations; see the I.G. 9.5 FAQ. Due to earlier changes in the FIPS 140-2 validation requirements the v1.2 Module is no longer be a suitable model for private label validations in its current form past the year 2010; see the NIST Notices, discussion paper and Draft 800-131.

The 2.0 Validation

On January 4, 2011 we began work on the new open source FIPS 140-2 Level 1 validation. This validation covers most of the objectives we have been wanting to achieve in a new validation, including:

Satisfying the new CMVP testing guidelines.
One or more new PRNG implementations.
Algorithm test programs for the AESGCM and ECDSA algorithms.
RSA encryption.
Upgrade DSA2 for key sizes greater then 1024.
Any mandatory additional tests or algorithm modifications for the testing guidelines.
An extensive re-design of the FIPS Module to eliminate OpenSSL revision dependencies. The new module will live in a completely separate purpose-built source distribution. In contrast to the current module, this new module will at least in principle be useful in some stand-alone contexts requiring only low level cryptographic primitives.

In addition this validation also includes:

Suite B cryptography, and a "Suite B" mode of operation enforcement similar to that provided by the current "FIPS capable" OpenSSL.

Thanks to multiple platform sponsorships the 2.0 validation includes the largest number of formally tested platforms for any validated module.

Current Status

The validation was awarded on June 27, 2012, certificate number #1747. The source code and User Guide document can be downloaded from the OpenSSL web site. On July 9, 2012 the first "change letter" update was approved, adding six additional platforms and a new revision number of 2.0.1. The revised source code can be used for all tested platforms, though the older 2.0 source distribution remains valid for the platforms tested at that time. On October 24, 2012, the second "change letter" update was approved, adding two additional platforms and a new revision number of 2.0.2. The revised source code can be used for all tested platforms, though the older 2.0 and 2.0.1 revisions remain valid for the platforms tested at the time those revisions were approved.

Sponsors

The OpenSSL Software Foundation receives support from multiple sources for each validation effort; however only those sponsors who have elected to be recognised for their contribution to OpenSSL are listed below.

Defense Advanced Research Projects Agency (DARPA) Transformative Apps Program, original primary sponsor of the overall validation with several Android on ARMv7 platforms.
Intersoft International, Inc., platform sponsor (VC++ Win32/x86 asm optimisation)
Opengear, Inc., platform sponsor (uCLinux ARMv4 asm optimisation)
QuintessenceLabs Pty Ltd, platform sponsor (Fedora 14 x86-64 asm optimisation)
PKWARE, Inc., platform sponsor (HPUX 11i on Itanium 32, 64 bit with asm optimisation)
platform sponsor (Ubuntu Linux 32bit x86 with asm optimisation)
Cerberus, LLC, general sponsor
DHS Science and Technology Directorate-sponsored Homeland Open Security Technology (HOST) program, algorithm sponsor (CMAC, AES-CCM)
Innominate Security Technologies AG, platform sponsor (Linux on Freescale MPC8313)
PSW Group, general sponsor

If you have an interest in sponsoring any changes or additions to this validation please contact the OSF.

Some commercial software vendors ask us "what do we gain from sponsoring a validation that our competition can also use?". Our answer is "nothing, if you think in terms of obstructing your competition". If, on the other hand, you compete primarily on the merits of you products what others may do with the validation is less of a threat as they derive no more advantage from it than you do. Your advantage is that your sponsorship will probably cost less that the commercial software license you would otherwise have to buy, and you will retain backwards compatibility with the regular OpenSSL API while avoiding vendor lock-in.