“Unofficial” OpenSSL 3.0 FIPS module timeline

Below is KeyPair’s best effort to track the timeline for the new OpenSSL 3.0 FIPS 140-2 module. Links are provided for additional details.

December 31, 2019
End of support for OpenSSL 1.0.2.
Premium Level Support available from OpenSSL.

September 4, 2020
– OpenSSL FIPS Object Modules 2.0 (FIPS 140-2 Certs. 1747, 2398, 2473) dropped to the CMVP historical list due to the Implementation Guidance for FIPS 140-2, G.18 transition (FIPS 186-2).

No earlier than July 2021
Final release for OpenSSL 3.0 is expected to happen “sometime in the New Year.” (“New Year” = 2021)
– On June 17, 2021, the OpenSSL 3.0 Release Candidate (Beta 1) was made available.
– Algorithm testing of the FIPS module begins with the FIPS 140 Lab.

No later than September 21, 2021
– The FIPS 140-2 validation report is submitted to the CMVP for the OpenSSL 3.0 FIPS Module.

No earlier than Q2 2022
– CMVP completes initial review (assuming 6-8 month queue time).

Q2-Q3 2022
– OpenSSL 3.0 FIPS Module receives a FIPS 140-2 certificate. (This is KeyPair’s best guess at the timeframe when the FIPS certificate will be posted.)


Q1: Will the OpenSSL FIPS Object Module v2.0.* work with OpenSSL 1.1.1?
A1: No.

Q2: Will there be any FIPS 140-2 modules that work with OpenSSL 1.1.1?
A2: Canonical FIPS 140-2 Cert. #3622 works with OpenSSL 1.1.1. The OpenSSL Project has no plans to develop a FIPS module for OpenSSL 1.1.1. The next FIPS module from the OpenSSL Team will be for OpenSSL 3.0.

Q3: Why is the versioning for OpenSSL skipping from 1.1.1 to 3.0?
A3: Since the historical OpenSSL FIPS Object Modules use version 2.0, the OpenSSL version will jump to 3.0 to avoid confusion.

Q4: Will the OpenSSL 3.0 FIPS Module be validated to FIPS 140-3 requirements?
A4: The current plan is to validate to FIPS 140-2 requirements. The CMVP began accepting FIPS 140-3 validation packages on September 22, 2020, but FIPS 140-2 modules may be validated until September 22, 2021 (unless special arrangements have been made to submit before April 1, 2022).

Q5: What will be the new sunset date for the OpenSSL 3.0 FIPS Module?
A5: September 21, 2026.

Q6: How do I bridge the gap until the OpenSSL 3.0 FIPS Module is validated?
A6: Please review Questions 3 & 4 in this post or just contact info@keypair.us

KeyPair Consulting gets your supported operating systems tested and listed on a FIPS 140-2 certificate in your company‚Äôs name. See our Private Label service for more information.