Below is KeyPair’s best effort to track the timeline for the OpenSSL 3.0 FIPS 140-2 module. Links are provided for additional details.
On November 7, 2019, OpenSSL posted this update on the OpenSSL 3.0 schedule.
December 31, 2019
– End of support for OpenSSL 1.0.2.
– Code completion for OpenSSL 3.0.
– Validation of the FIPS module begins.
Early Q4 2020
– Final release of OpenSSL 3.0.
– OpenSSL 3.0 FIPS Module receives a FIPS certificate? (This is KeyPair’s best guess at the timeframe when the FIPS certificate will be posted.)
Q1: Is support available for OpenSSL 1.0.2 after EOL on December 31, 2019?
A1: Yes, OpenSSL Software Services (OSS) can provide Premium Level Support for OpenSSL 1.0.2 in 2020.
Q2: Will the OpenSSL FIPS Object Module v2.0.* work with OpenSSL 1.1.1?
Q3: Will there be any FIPS 140-2 modules that work with OpenSSL 1.1.1?
A3: We do not know of any validations for a FIPS 140-2 module that will work with OpenSSL 1.1.1. We do know that the OpenSSL Project has no plans to develop a FIPS module for OpenSSL 1.1.1. The next FIPS module will be for OpenSSL 3.0.
Q4: Can we continue to use the OpenSSL FIPS Object Module v2.0.* for OpenSSL 1.0.2 in 2020 while we wait for the OpenSSL 3.0 FIPS Module to be validated?
A4: Technically, yes. Your company needs to make a decision about how you will support OpenSSL 1.0.2 in 2020 (see Q1 above).
Q5: Why is the versioning for OpenSSL skipping from 1.1.1 to 3.0?
A5: Since the OpenSSL FIPS Object Module uses version 2.0, the OpenSSL version will jump to 3.0 to avoid confusion.
Q6: Will the OpenSSL 3.0 FIPS Module be validated to FIPS 140-3 requirements?
A6: The current plan is to validate to FIPS 140-2 requirements. The CMVP begins accepting FIPS 140-3 validation packages on September 22, 2020, but FIPS 140-2 modules may be validated until September 22, 2021.