Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
OpenSSL
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== FIPS 140 validation == [[FIPS 140]] is a U.S. Federal program for the testing and certification of cryptographic modules. An early FIPS 140-1 certificate for OpenSSL's FOM 1.0 was revoked in July 2006 "when questions were raised about the validated module's interaction with outside software." The module was re-certified in February 2007 before giving way to FIPS 140-2.<ref>{{cite web |url=http://www.gcn.com/online/vol1_no1/43142-1.html |title=NIST recertifies open source encryption module |publisher=gcn.com |url-status=dead |archive-url=https://web.archive.org/web/20071010000622/http://www.gcn.com/online/vol1_no1/43142-1.html |archive-date=2007-10-10}}</ref> OpenSSL 1.0.2 supported the use of the OpenSSL FIPS Object Module (FOM), which was built to deliver FIPS approved algorithms in a FIPS 140-2 validated environment.<ref>{{cite web |url=https://www.openssl.org/docs/fips.html |title=FIPS-140 |publisher=openssl.org |access-date=2019-11-12}}</ref><ref>{{cite web |date=2017-03-14 |url=https://www.openssl.org/docs/fips/UserGuide-2.0.pdf |title=OpenSSL User Guide for the OpenSSL FIPS Object Module v2.0 |publisher=openssl.org |access-date=2019-11-12 |archive-date=June 9, 2020 |archive-url=https://web.archive.org/web/20200609025558/https://www.openssl.org/docs/fips/UserGuide-2.0.pdf |url-status=live}}</ref> OpenSSL controversially decided to categorize the 1.0.2 architecture as 'end of life' or 'EOL', effective December 31, 2019, despite objections that it was the only version of OpenSSL that was currently available with support for FIPS mode.<ref name="openssl_blog_3.0_update">{{cite web |url=https://openssl-library.org/post/2019-11-07-3.0-update/ |title=Update on 3.0 Development, FIPS and 1.0.2 EOL |website=OpenSSL Blog |date=7 November 2019 |access-date=2024-10-11}}</ref> As a result of the EOL, many users were unable to properly deploy the FOM 2.0 and fell out of compliance because they did not secure extended support for the 1.0.2 architecture, although the FOM itself remained validated for eight months further. The FIPS Object Module 2.0 remained FIPS 140-2 validated in several formats until September 1, 2020, when NIST deprecated the usage of FIPS 186-2 for [[Digital Signature Standard]] and designated all non-compliant modules as 'Historical'. This designation includes a caution to federal agencies that they should not include the module in any new procurements. All three of the OpenSSL validations were included in the deprecation β the OpenSSL FIPS Object Module (certificate #1747),<ref>{{cite web |url=https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1747 |title=Cryptographic Module Validation Program Certificate #1747 |website=Computer Security Resource Center |date=October 11, 2016}}</ref> OpenSSL FIPS Object Module SE (certificate #2398),<ref>{{cite web |url=https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2398 |title=Cryptographic Module Validation Program Certificate #2398 |website=Computer Security Resource Center |date=October 11, 2016 |access-date=October 29, 2020 |archive-date=October 26, 2020 |archive-url=https://web.archive.org/web/20201026130404/https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/2398 |url-status=live}}</ref> and OpenSSL FIPS Object Module RE (certificate #2473).<ref>{{cite web |url=https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2473 |title=Cryptographic Module Validation Program Certificate #2473 |website=Computer Security Resource Center |date=October 11, 2016}}</ref> Many 'private label' OpenSSL-based validations and clones created by consultants were also moved to the Historical List, although some FIPS validated modules with replacement compatibility avoided the deprecation, such as BoringCrypto from Google<ref>{{cite web |url=https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search?SearchMode=Advanced&Vendor=google&ModuleName=boringcrypto&Standard=140-2&CertificateStatus=Active&ValidationYear=0 |title=Cryptographic Module Validation Program search results |website=Computer Security Resource Center |date=October 11, 2016}}</ref> and CryptoComply from SafeLogic.<ref>{{cite web |url=https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search?SearchMode=Advanced&Vendor=safelogic&ModuleName=cryptocomply&Standard=140-2&CertificateStatus=Active&ValidationYear=0 |title=Cryptographic Module Validation Program search results |website=Computer Security Resource Center |date=October 11, 2016}}</ref> The OpenSSL Management Committee announced a change in the versioning scheme. Due to this change, the major number of the next major version would have been doubled, since the OpenSSL FIPS module already occupied this number. Therefore, the decision was made to skip the OpenSSL 2.0 version number and continue with OpenSSL 3.0 . OpenSSL 3.0 restored FIPS mode and underwent FIPS 140-2 testing, but with significant delays: The effort was first kicked off in 2016 with support from SafeLogic<ref>{{cite news |url=https://gcn.com/articles/2016/07/20/openssl-fips |title=Getting government approval of a more secure OpenSSL |last=Schneider |first=Troy K. |date=20 July 2016 |work=GCN: Technology, Tools, and Tactics for Public Sector IT |archive-date=May 9, 2021 |access-date=October 29, 2020 |archive-url=https://web.archive.org/web/20210509143554/https://gcn.com/articles/2016/07/20/openssl-fips |url-status=live}}</ref><ref>{{cite news |url=https://www.fedscoop.com/openssl-us-government-safelogic-fips-140-2-2016/ |first=Shaun |last=Waterman |title=SafeLogic saves the day for feds' use of OpenSSL |date=21 July 2016 |work=FedScoop}}</ref><ref>{{cite news |url=https://www.infoworld.com/article/3098868/reworked-openssl-on-track-for-government-validation.html |first=Fahmida Y. |last=Rashid |title=Reworked OpenSSL on track for government validation |date=26 July 2016 |work=InfoWorld}}</ref> and further support from Oracle in 2017,<ref>{{cite news |url=https://www.dbta.com/Editorial/News-Flashes/Oracle-SafeLogic-and-OpenSSL-Join-Forces-to-Update-FIPS-Module-119707.aspx |first=Joyce |last=Wells |title=Oracle, SafeLogic and OpenSSL Join Forces to Update FIPS Module |date=3 August 2017 |work=Database Trends and Applications}}</ref><ref>{{cite news |url=https://www.eweek.com/security/oracle-joins-safelogic-to-develop-fips-module-for-openssl-security |first=Sean Michael |last=Kerner |title=Oracle Joins SafeLogic to Develop FIPS Module for OpenSSL Security |date=4 August 2017 |work=eWeek}}</ref> but the process has been challenging.<ref>{{cite web |url=https://openssl-library.org/post/2020-10-20-openssl3.0alpha7/ |title=OpenSSL 3.0 Alpha7 Release |date=20 October 2020 |access-date=2024-10-11 |website=OpenSSL Blog |archive-date=October 14, 2024 |archive-url=https://web.archive.org/web/20241014051322/https://openssl-library.org/post/2020-10-20-openssl3.0alpha7/ |url-status=live}}</ref> On October 20, 2020, the OpenSSL FIPS Provider 3.0 was added to the CMVP Implementation Under Test List, which reflected an official engagement with a testing lab to proceed with a FIPS 140-2 validation. This resulted in a slew of certifications in the following months.<ref>{{cite web |url=https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search?SearchMode=Basic&ModuleName=OpenSSL&CertificateStatus=Active&ValidationYear=0 |title=Cryptographic Module Validation Program: OpenSSL |website=Computer Security Resource Center |date=October 11, 2016 |access-date=September 24, 2021 |archive-date=April 14, 2021 |archive-url=https://web.archive.org/web/20210414133436/https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search?SearchMode=Basic&ModuleName=openssl&CertificateStatus=Active&ValidationYear=0 |url-status=live}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)