Cryptography and SSL/TLS Toolkit

OpenSSL and FIPS 140-2

The most recent open source based validation of a cryptographic module (Module) compatible with the OpenSSL libraries is v2.0.9, FIPS 140-2 certificate #1747. This Module is documented in the 2.0 User Guide. It substantially updates and improves the earlier v1.2 module, FIPS 140-2 certificate #1051, which is documented in the 1.2 User Guide.

Important Note: Due to new requirements introduced in 2013 the current v2.0 Module is no longer suitable as a reference for private label validations; see the I.G. 9.5 FAQ. Due to earlier changes in the FIPS 140-2 validation requirements the v1.2 Module is no longer be a suitable model for private label validations in its current form past the year 2010; see the NIST Notices, discussion paper and Draft 800-131.


The OpenSSL FIPS Object Module validations receive support from multiple sources for each validation effort; however only those sponsors who have elected to be recognised for their contribution to OpenSSL are listed below.

Defense Advanced Research Projects Agency (DARPA) Transformative Apps Program, original primary sponsor of the overall validation with several Android on ARMv7 platforms.
Intersoft International, Inc., platform sponsor (VC++ Win32/x86 asm optimisation)
Opengear, Inc., platform sponsor (uCLinux ARMv4 asm optimisation)
QuintessenceLabs Pty Ltd, platform sponsor (Fedora 14 x86-64 asm optimisation)
PKWARE, Inc., platform sponsor (HPUX 11i on Itanium 32, 64 bit with asm optimisation)
Cerberus, LLC, general sponsor
DHS Science and Technology Directorate-sponsored Homeland Open Security Technology (HOST) program, algorithm sponsor (CMAC, AES-CCM)
Innominate Security Technologies AG, platform sponsor (Linux on Freescale MPC8313)
PSW GROUP, general sponsor
Citrix Systems, Inc., platform sponsor (multiple platforms)

If you have an interest in sponsoring any changes or additions to this validation please contact OpenSSL Validation Services.

Some commercial software vendors ask us "what do we gain from sponsoring a validation that our competition can also use?". Our answer is "nothing, if you think in terms of obstructing your competition". If, on the other hand, you compete primarily on the merits of your products then what others may do with the validation is less of a threat as they derive no more advantage from it than you do. Your advantage is that your sponsorship will probably cost less that the commercial software license you would otherwise have to buy, and you will retain backwards compatibility with the regular OpenSSL API while avoiding vendor lock-in.