“Unofficial” OpenSSL 3.0 FIPS module timeline

Below is KeyPair’s best effort to track the timeline for the new OpenSSL 3.0 FIPS 140-2 module. Links are provided for additional details.

December 31, 2019
End of support for OpenSSL 1.0.2.
Premium Level Support available from OpenSSL.

September 4, 2020
– OpenSSL FIPS Object Modules 2.0 (FIPS 140-2 Certs. 1747, 2398, 2473) dropped to the CMVP historical list due to the Implementation Guidance for FIPS 140-2, G.18 transition (FIPS 186-2).

No earlier than Q1 2021
Final release for OpenSSL 3.0 is expected to happen “sometime in the New Year.”
– Track the open items for OpenSSL 3.0.0 beta1 release.
– Validation of the FIPS module begins with the FIPS 140 Lab.

No earlier than Q2 2021
– The FIPS 140-2 validation report is submitted to the CMVP for the OpenSSL 3.0 FIPS Module.
– Note: FIPS 140-2 reports may not be submitted to the CMVP after September 21, 2021.

No earlier than Q1 2022
– CMVP completes initial review (assuming current 9-10 month queue time).

No earlier than Q2 2022
– OpenSSL 3.0 FIPS Module receives a FIPS 140-2 certificate. (This is KeyPair’s best guess at the timeframe when the FIPS certificate will be posted.)


FAQs

Q1: Will the OpenSSL FIPS Object Module v2.0.* work with OpenSSL 1.1.1?
A1: No.

Q2: Will there be any FIPS 140-2 modules that work with OpenSSL 1.1.1?
A2: Canonical FIPS 140-2 Cert. #3622 works with OpenSSL 1.1.1. The OpenSSL Project has no plans to develop a FIPS module for OpenSSL 1.1.1. The next FIPS module from the OpenSSL Team will be for OpenSSL 3.0.

Q3: Why is the versioning for OpenSSL skipping from 1.1.1 to 3.0?
A3: Since the historical OpenSSL FIPS Object Modules use version 2.0, the OpenSSL version will jump to 3.0 to avoid confusion.

Q4: Will the OpenSSL 3.0 FIPS Module be validated to FIPS 140-3 requirements?
A4: The current plan is to validate to FIPS 140-2 requirements. The CMVP began accepting FIPS 140-3 validation packages on September 22, 2020, but FIPS 140-2 modules may be validated until September 22, 2021.

Q5: What will be the new sunset date for the OpenSSL 3.0 FIPS Module?
A5: September 21, 2026.

Q6: How do I bridge the gap until the OpenSSL 3.0 FIPS Module is validated?
A6: Please review Questions 3 & 4 in this post or just contact info@keypair.us


KeyPair Consulting gets your supported operating systems tested and listed on a FIPS 140-2 certificate in your company‚Äôs name. See our Private Label service for more information.