OpenSSL and FIPS 140-2 Validation StatusThe most recent open source based validation of a cryptographic module (Module) compatible with the OpenSSL libraries is v2.0.1, FIPS 140-2 certificate #1747. This Module is documented in the 2.0 User Guide. It substantially updates and improves the earlier v1.2 module, FIPS 140-2 certificate #1051, which is documented in the 1.2 User Guide.
Important Note: Due to new requirements introduced in 2013 the current v2.0 Module is no longer suitable as a reference for private label validations; see the I.G. 9.5 FAQ. Due to earlier changes in the FIPS 140-2 validation requirements the v1.2 Module is no longer be a suitable model for private label validations in its current form past the year 2010; see the NIST Notices, discussion paper and Draft 800-131.
The 2.0 ValidationOn January 4, 2011 we began work on the new open source FIPS 140-2 Level 1 validation. This validation covers most of the objectives we have been wanting to achieve in a new validation, including:
Current StatusThe validation was awarded on June 27, 2012, certificate number #1747. The source code and User Guide document can be downloaded from the OpenSSL web site. On July 9, 2012 the first "change letter" update was approved, adding six additional platforms and a new revision number of 2.0.1. The revised source code can be used for all tested platforms, though the older 2.0 source distribution remains valid for the platforms tested at that time. On October 24, 2012, the second "change letter" update was approved, adding two additional platforms and a new revision number of 2.0.2. The revised source code can be used for all tested platforms, though the older 2.0 and 2.0.1 revisions remain valid for the platforms tested at the time those revisions were approved.
SponsorsThe OpenSSL Software Foundation receives support from multiple sources for each validation effort; however only those sponsors who have elected to be recognised for their contribution to OpenSSL are listed below.
If you have an interest in sponsoring any changes or additions to this validation please contact the OSF.
Some commercial software vendors ask us "what do we gain from sponsoring a validation that our competition can also use?". Our answer is "nothing, if you think in terms of obstructing your competition". If, on the other hand, you compete primarily on the merits of you products what others may do with the validation is less of a threat as they derive no more advantage from it than you do. Your advantage is that your sponsorship will probably cost less that the commercial software license you would otherwise have to buy, and you will retain backwards compatibility with the regular OpenSSL API while avoiding vendor lock-in.