OpenSSL FIPS 140 Update

Oct 12, 2023

In the ever-evolving landscape of cybersecurity, staying ahead of potential threats is crucial. The OpenSSL project has been at the forefront of cryptographic security for decades, providing a robust toolkit that enables encryption, decryption, and other cryptographic functions. In the continuous pursuit of enhancing security and regulatory compliance, we want to share our updated ambitious FIPS (Federal Information Processing Standards) plans.

The Importance of FIPS Compliance

The Federal Information Processing Standards (FIPS) are a set of standards and guidelines established by the National Institute of Standards and Technology (NIST) in the United States. FIPS was developed as an effort to create acceptable industry standards for use in the federal government. Now FIPS is both a US and Canadian government standard that specifies minimum security requirements for hardware, software, and firmware solutions handling sensitive government information or collaborating with government entities.

OpenSSL and FIPS: A Continuing Journey

• 140-2

  • Due to some bugs and CVE-2023-1255 in the FIPS provider, we had to update the following versions and restore our FIPS 140-2 certification for said versions

    • version 3.0.0 for the sponsor platforms

    • version 3.0.8 for all of our platforms except for Apple silicon based Mac

    • version 3.0.9 for all of our platforms.

      This is in coordination since the start of September. It will hopefully move to finalization soon.

• 140-3

  • We are on the IUT (Implementation Under Test) list
  • We are hoping to validate the recent 3.1.2 release - however, this is subject to change depending on NIST queue times
  • Currently awaiting the final versions of the security policy and vendor evidence documents.
  • Once the final versions are produced, we will do a review pass and approve them.
  • Once these documents are approved, the module can be submitted for validation.
    • It will then change from the IUT list to the Modules In Process or MIP list.
  • Once the module is on the MIP list we will go through the following stages:

    • Review Pending: this is just waiting to get a reviewer and typically takes a few months. This is generally the longest phase.

    • In Review: there is a reviewer looking at the module & the documentation

    • Coordination: this is a back and forth between the reviewer and our lab. Typically the lab passes most of the questions about the module to us and deals with the documentation. This takes weeks per iteration and the number of iterations is unknown.

    • Finalization: a fast paperwork only stage.

  • Due to a lot of changes made at NIST to speed up queue times, we are hoping to get our FIPS 140-3 validation in 2024 - we will keep you updated every step of the way

Significance of OpenSSL’s FIPS Commitement

By sharing our FIPS 140 plans with our community, we are sharing OpenSSL’s dedication to represent a forward-thinking approach to cryptographic security, ensuring that OpenSSL remains a trusted choice for those looking to secure their data in a world of persistent cyber threats. This ongoing journey signifies a commitment to not only meet today’s security standards but also to prepare for the challenges of tomorrow.

If you have any questions or comments please feel free to contact us at feedback@openssl.org