Cryptography and SSL/TLS Toolkit

OpenSSL FIPS 140-2 Private Label Validations

If you haven't already, please read our FIPS 140-2 Notes page.

IMPORTANT NOTE: The addition of multiple new formal requirements since the #1747 validation was first approved in 2012, and recent unfavorable experiences with increasingly unpredictable outcomes from the validation process, have increased to the point where private label validations are no longer economically feasible for a small organization of limited means; the risk doesn't justify the substantial investment of time and money required to pursue new validations. As of 2015 we are no longer performing any private label validations. The addition of new platforms to the existing #1747 or comparable validations is still possible and those validation actions are still being performed.

The rest of this page is of historical interest only.

What It Is

We have found that one of the most popular commercial services offered by the OpenSSL team is the private label validation. It's not a business we ever planned to be in, but as the originators of the source code based OpenSSL FIPS Object Module validations, and with lots of practice, we've gotten pretty good at it. The revenue we earn from these validations supports the OpenSSL project, and for some validations also results in useful additions to the OpenSSL baseline.

What You Get

For a total fixed price we will obtain a Level 1 FIPS 140-2 validation in your name using the OpenSSL FIPS Object Module v2.0 for two common platforms using unmodified source code. A common platform is a computing device (hardware and operating system) that is available and familiar to us and the test lab(s). Examples of common platforms are:

  • Microsoft Windows (32 bit) on x86 hardware
  • Microsoft Windows (64 bit) on x64 hardware
  • Linux on 32 bit x86 hardware
  • Linux (64 bit) on x64 hardware
  • The Android operating system on some common smart phones using ARM processors
  • HP-UX 11 on Itanium
  • Solaris on x64 hardware

Additional common platforms can be added to your validation for US$4000 (Linux/Unix/Android) or US$4500 (desktop/server Windows) each.

We will handle all interaction with the accredited testing lab and the CMVP. You sign one contract with the OSF with half of the price due as a down payment and the remainder due only when your certificate is posted by the CMVP.

Within two weeks of executing your contract with us, your pending validation will also appear on the pre-val list. The presence of your product on this list is sufficient to satisfy FIPS 140-2 requirements for some procurements.

What Qualifies

This turnkey validation package is applicable in the following circumstances:

  • You have already confirmed that the module generated from the OpenSSL FIPS Object Module v2.0 source distribution, possibly with modifications, works on your platform(s).
  • Your modifications to the OpenSSL source code, if any, are not "cryptographically significant". Roughly speaking, that means the modifications do not affect the actual cryptographic algorithms. Modifications for portability, such as changing #include statements or redefining macros, or changes to the build process such as new compiler or linker options, are generally acceptable.
  • Your application does not require cross-compilation (the build system and the target platform can be the same system), or your cross-compiled platform is one for which the complete build process, including generation of the integrity test digest, is already known and tested.
  • The actual platform, hardware and software, is either already available to the OSF and the lab or is supplied by you. We will need at least two complete sets of platform hardware and software for customer provided equipment. This equipment can be returned once the validation is awarded, though some customers have preferred to leave that equipment with us for regression testing of future revisions.You have determined that the performance of the module is satisfactory on your specific target platform. We continually make performance enhancements to OpenSSL, only some of which can readily be incorporated into routine private label validations.

Note that we can still help you if not all of these circumstances apply, but we'll have to look at your specific situation more closely. Note minor software modifications can often be accommodated in a change letter modification.

Interested? Contact OpenSSL Software Services.