OpenSSL 3.0 FIPS timeline

Below is KeyPair’s best effort to track the timeline for the OpenSSL 3.0 FIPS 140-2 module. Links are provided for additional details.

On November 7, 2019, OpenSSL posted this update on the OpenSSL 3.0 schedule.

December 31, 2019
End of support for OpenSSL 1.0.2.

Q2 2020
Code completion for OpenSSL 3.0.
– Validation of the FIPS module begins.

September 1, 2020
IG G.18 transition date. OpenSSL FIPS Object Module Certs. #1747, #2398, #2473 expected to move to the CMVP Historical Module List.

Early Q4 2020
– Final release of OpenSSL 3.0.

Q1 2021
– OpenSSL 3.0 FIPS Module receives a FIPS certificate? (This is KeyPair’s best guess at the timeframe when the FIPS certificate will be posted.)

Q1: Is support available for OpenSSL 1.0.2 after EOL on December 31, 2019?
A1: Yes, OpenSSL Software Services (OSS) can provide Premium Level Support for OpenSSL 1.0.2 in 2020.

Q2: Will the OpenSSL FIPS Object Module v2.0.* work with OpenSSL 1.1.1?
A2: No.

Q3: Will there be any FIPS 140-2 modules that work with OpenSSL 1.1.1?
A3: We do not know of any validations for a FIPS 140-2 module that will work with OpenSSL 1.1.1. We do know that the OpenSSL Project has no plans to develop a FIPS module for OpenSSL 1.1.1. The next FIPS module will be for OpenSSL 3.0.

Q4: Can we continue to use the OpenSSL FIPS Object Module v2.0.* for OpenSSL 1.0.2 in 2020 while we wait for the OpenSSL 3.0 FIPS Module to be validated?
A4: Technically, yes. Your company needs to make a decision about how you will support OpenSSL 1.0.2 in 2020 (see Q1 above).

Q5: Why is the versioning for OpenSSL skipping from 1.1.1 to 3.0?
A5: Since the OpenSSL FIPS Object Module uses version 2.0, the OpenSSL version will jump to 3.0 to avoid confusion.

Q6: Will the OpenSSL 3.0 FIPS Module be validated to FIPS 140-3 requirements?
A6: The current plan is to validate to FIPS 140-2 requirements. The CMVP begins accepting FIPS 140-3 validation packages on September 22, 2020, but FIPS 140-2 modules may be validated until September 22, 2021.

KeyPair Consulting gets your supported operating systems tested and listed on a FIPS 140-2 certificate in your company‚Äôs name. See our Private Label service for more information.