Below is KeyPair’s best effort to track the timeline for the new OpenSSL 3.0 FIPS 140-2 module. Links are provided for additional details.
September 4, 2020
– OpenSSL FIPS Object Modules 2.0 (FIPS 140-2 Certs. 1747, 2398, 2473) dropped to the CMVP historical list due to the Implementation Guidance for FIPS 140-2, G.18 transition (FIPS 186-2).
No earlier than July 2021
– Final release for OpenSSL 3.0 is expected to happen “sometime in the New Year.” (“New Year” = 2021)
– On June 17, 2021, the OpenSSL 3.0 Release Candidate (Beta 1) was made available.
– Algorithm testing of the FIPS module begins with the FIPS 140 Lab.
– On July 29, 2021, the OpenSSL 3.0 Release Candidate (Beta 2) was made available.
– On September 7, 2021, the final release of OpenSSL 3.0.0 was published.
– Algorithm testing completed on September 15, 2021 resulting in CAVP Cert. #A1938
– On September 17, 2021, the FIPS 140-2 validation report was submitted to the CMVP for the OpenSSL 3.0 FIPS Provider. The CMVP Modules in Process List shows the current review status (search for “OpenSSL FIPS Provider”).
No earlier than Q2 2022
– CMVP completes initial review (assuming 6-8 month queue time).
– OpenSSL 3.0 FIPS Provider receives a FIPS 140-2 certificate. (This is KeyPair’s best guess at the timeframe when the FIPS certificate will be posted.)
Q1: Will the OpenSSL FIPS Object Module v2.0.* work with OpenSSL 1.1.1?
Q2: Will there be any FIPS 140-2 modules that work with OpenSSL 1.1.1?
A2: Canonical FIPS 140-2 Cert. #3622 works with OpenSSL 1.1.1. The OpenSSL Project has no plans to develop a FIPS module for OpenSSL 1.1.1. The next FIPS module from the OpenSSL Team will be for OpenSSL 3.0.
Q3: Why is the versioning for OpenSSL skipping from 1.1.1 to 3.0?
A3: Since the historical OpenSSL FIPS Object Modules use version 2.0, the OpenSSL version will jump to 3.0 to avoid confusion.
Q4: Will the OpenSSL 3.0 FIPS Module be validated to FIPS 140-3 requirements?
A4: The current plan is to validate to FIPS 140-2 requirements. The CMVP began accepting FIPS 140-3 validation packages on September 22, 2020, but FIPS 140-2 modules may be validated until September 22, 2021 (unless special arrangements have been made to submit before April 1, 2022).
Q5: What will be the new sunset date for the OpenSSL 3.0 FIPS Module?
A5: September 21, 2026.