Below is KeyPair’s best effort to track the timeline for the new OpenSSL 3.0 FIPS 140-2 module. Links are provided for additional details.
September 4, 2020
– OpenSSL FIPS Object Modules 2.0 (FIPS 140-2 Certs. 1747, 2398, 2473) dropped to the CMVP historical list due to the Implementation Guidance for FIPS 140-2, G.18 transition (FIPS 186-2).
No earlier than Q1 2021
– Final release for OpenSSL 3.0 is expected to happen “sometime in the New Year.”
– Track the open items for OpenSSL 3.0.0 beta1 release.
– Validation of the FIPS module begins with the FIPS 140 Lab.
No earlier than Q2 2021
– The FIPS 140-2 validation report is submitted to the CMVP for the OpenSSL 3.0 FIPS Module.
– Note: FIPS 140-2 reports may not be submitted to the CMVP after September 21, 2021.
No earlier than Q1 2022
– CMVP completes initial review (assuming current 9-10 month queue time).
No earlier than Q2 2022
– OpenSSL 3.0 FIPS Module receives a FIPS 140-2 certificate. (This is KeyPair’s best guess at the timeframe when the FIPS certificate will be posted.)
Q1: Will the OpenSSL FIPS Object Module v2.0.* work with OpenSSL 1.1.1?
Q2: Will there be any FIPS 140-2 modules that work with OpenSSL 1.1.1?
A2: Canonical FIPS 140-2 Cert. #3622 works with OpenSSL 1.1.1. The OpenSSL Project has no plans to develop a FIPS module for OpenSSL 1.1.1. The next FIPS module from the OpenSSL Team will be for OpenSSL 3.0.
Q3: Why is the versioning for OpenSSL skipping from 1.1.1 to 3.0?
A3: Since the historical OpenSSL FIPS Object Modules use version 2.0, the OpenSSL version will jump to 3.0 to avoid confusion.
Q4: Will the OpenSSL 3.0 FIPS Module be validated to FIPS 140-3 requirements?
A4: The current plan is to validate to FIPS 140-2 requirements. The CMVP began accepting FIPS 140-3 validation packages on September 22, 2020, but FIPS 140-2 modules may be validated until September 22, 2021.
Q5: What will be the new sunset date for the OpenSSL 3.0 FIPS Module?
A5: September 21, 2026.