Below is KeyPair’s best effort to track the timeline for the new OpenSSL 3.0 FIPS 140-2 module. Links are provided for additional details.
September 4, 2020
– OpenSSL FIPS Object Modules 2.0 (FIPS 140-2 Certs. 1747, 2398, 2473) dropped to the CMVP historical list due to the Implementation Guidance for FIPS 140-2, G.18 transition (FIPS 186-2).
No earlier than July 2021
– Final release for OpenSSL 3.0 is expected to happen “sometime in the New Year.” (“New Year” = 2021)
– On June 17, 2021, the OpenSSL 3.0 Release Candidate (Beta 1) was made available.
– Algorithm testing of the FIPS module begins with the FIPS 140 Lab.
No later than September 21, 2021
– The FIPS 140-2 validation report is submitted to the CMVP for the OpenSSL 3.0 FIPS Module.
No earlier than Q2 2022
– CMVP completes initial review (assuming 6-8 month queue time).
– OpenSSL 3.0 FIPS Module receives a FIPS 140-2 certificate. (This is KeyPair’s best guess at the timeframe when the FIPS certificate will be posted.)
Q1: Will the OpenSSL FIPS Object Module v2.0.* work with OpenSSL 1.1.1?
Q2: Will there be any FIPS 140-2 modules that work with OpenSSL 1.1.1?
A2: Canonical FIPS 140-2 Cert. #3622 works with OpenSSL 1.1.1. The OpenSSL Project has no plans to develop a FIPS module for OpenSSL 1.1.1. The next FIPS module from the OpenSSL Team will be for OpenSSL 3.0.
Q3: Why is the versioning for OpenSSL skipping from 1.1.1 to 3.0?
A3: Since the historical OpenSSL FIPS Object Modules use version 2.0, the OpenSSL version will jump to 3.0 to avoid confusion.
Q4: Will the OpenSSL 3.0 FIPS Module be validated to FIPS 140-3 requirements?
A4: The current plan is to validate to FIPS 140-2 requirements. The CMVP began accepting FIPS 140-3 validation packages on September 22, 2020, but FIPS 140-2 modules may be validated until September 22, 2021 (unless special arrangements have been made to submit before April 1, 2022).
Q5: What will be the new sunset date for the OpenSSL 3.0 FIPS Module?
A5: September 21, 2026.