“Unofficial” OpenSSL 3.0 FIPS module timeline

The OpenSSL FIPS Provider FIPS 140-2 Cert. #4282 was posted on the CMVP Active Modules List on August 23, 2022. Congratulations to the OpenSSL Team and the sponsors of this project.

This FIPS module works with OpenSSL 3.0.0. If you are interested in rebranding OpenSSL’s FIPS 140-2 Cert. #4282, then please see this OpenSSL blog post.

The remainder of this post is historical reference.

Below is KeyPair’s best effort to track the timeline for the new OpenSSL 3.0 FIPS 140-2 module. Links are provided for additional details.

Last updated: September 21, 2022

December 31, 2019
End of support for OpenSSL 1.0.2.
Premium Level Support available from OpenSSL.

September 4, 2020
– OpenSSL FIPS Object Modules 2.0 (FIPS 140-2 Certs. 1747, 2398, 2473) dropped to the CMVP historical list due to the Implementation Guidance for FIPS 140-2, G.18 transition (FIPS 186-2).

No earlier than July 2021
Final release for OpenSSL 3.0 is expected to happen “sometime in the New Year.” (“New Year” = 2021)
– On June 17, 2021, the OpenSSL 3.0 Release Candidate (Beta 1) was made available.
– Algorithm testing of the FIPS module begins with the FIPS 140 Lab.

July 2021
– On July 29, 2021, the OpenSSL 3.0 Release Candidate (Beta 2) was made available.

September 2021
– On September 7, 2021, the final release of OpenSSL 3.0.0 was published.
– Algorithm testing completed on September 15, 2021 resulting in CAVP Cert. #A1938
– On September 17, 2021, the FIPS 140-2 validation report was submitted to the CMVP for the OpenSSL 3.0 FIPS Provider. The CMVP Modules in Process List shows the current review status (search for “OpenSSL FIPS Provider”).

Q2 2022
– On February 15, 2022, the OpenSSL FIPS Provider report moved to “In Review” on the NIST Modules in Process List.
– CMVP completed initial review on April 29, 2022. The OpenSSL FIPS Provider report is in “Coordination” on the NIST Modules in Process List. The FIPS Lab and the OpenSSL Team are responding to comments from the CMVP.

Q3-Q4 2022
– On August 23, 2022, the OpenSSL 3.0 FIPS Provider was issued FIPS 140-2 certificate #4282.

KeyPair Consulting gets your supported operating systems tested and listed on a FIPS 140-2 certificate in your company‚Äôs name. See our Private Label service for more information.