OpenSSL Blog

FIPS 140-2: Forward Progress


The OpenSSL Management Committee (OMC) on behalf of the OpenSSL Project would like to formally express its thanks to the following organisations for agreeing to sponsor the next FIPS validation effort: Akamai Technologies, Blue Cedar, NetApp, Oracle, VMware.

Four weeks ago, the OpenSSL team gathered with many of the organisations sponsoring the next FIPS module for a face-to-face meeting in Brisbane, Australia.

We got a great deal accomplished during that week. Having most of the fips-sponsor organisations in the same location helps ensure that we are all on the same page for the decisions we need to make going forward.

The fips-sponsor gathering (hosted by Oracle, Brisbane) involved a diverse group of people:

It has been more than seven years since the commencement of the previous FIPS140 module work and many things have changed during that time, both in terms of requirements of the Cryptographic Module Validation Program (CMVP) and the OpenSSL code base.

For the current validation effort, input and assistance from a small group (the five fips-sponsors) is essential to achieving the outcomes of the project in this area - a validated module that is usable by itself and can also form the foundation for other companies to perform their own validations for any areas where there are specific requirements outside the general scope.

As the project moves from high-level design to detailed design, prototyping, development, testing, documentation and quality assurance, we plan to make information available to the OpenSSL community for review and comment - as the next FIPS140 module will be substantially different to the previous approaches.

We are mindful of the end-of-life date for OpenSSL-1.0.2 (31-Dec-2019) and the end-of-life (sunset date) of the existing OpenSSL FIPS Object Object (29-Jan-2022) and our objective remains to have a validated cryptographic module in place well before 31-Dec-2019.