Status of OpenSSL FIPS certification shifts again

The National Institute of Standards and Technology apparently has backtracked on its revocation of OpenSSL certification under the Federal Information Processing Standard.

OpenSSL, which is managed by the Open Source Software Institute in Hattiesburg, Miss., in January became one of the first open-source software products to be validated under NIST's Computer Module Validation Program for FIPS 140-2. Since then, the certificate has been suspended, then apparently revoked; on Tuesday it was placed back into suspension.

OSSI executive director John Weathersby said he was informed by his third-party certification testing lab that the revocation had been a mistake by NIST.

NIST officials were not available for comment. FIPS certificate 642, which could not be accessed on the CMVP Web site Monday, was back in place Tuesday afternoon, although it still was marked 'not available,' which means it is not now valid.

If a validation certificate is marked 'not available,' the module is no longer available for procurement, but may still be retained and used to demonstrate compliance to FIPS 140-1 or FIPS 140-2.

OpenSSL is an open-source version of Secure Sockets Layer encryption that can be used by browsers and other programs to securely exchange data. The certification is critical to government use of the software, because FIPS 140-2 validation is required for cryptographic products protecting unclassified but sensitive data.

The suspension took place in June, when questions were raised about the cryptographic module's interaction with software elements outside the certified module. Weathersby said the problems have been corrected and the workaround submitted to the certifying laboratory, Domus IT Security Laboratory of Ottawa, for re-evaluation.

Weathersby said the results of the re-evaluation would be submitted to CMVP for a final review and reinstatement of the certificate.

NIST does not explain CMVP certificate suspensions because the information may be proprietary. But CMVP supervisor Randy Easter said in a written statement that if critical problems are found, agencies would be notified to cease using the module.

NIST does not appear to have issued such a notice with regard to OpenSSL.

About the Author

William Jackson is a Maryland-based freelance writer.


  • Pierce County

    CARES dashboard ensures county spending delivers results

    The CARES Act Funding Outcomes Dashboard helps Pierce County, Wash., monitor funding and key performance indicators for public health emergency response, economic stabilization and recovery, community response and resilience, and essential government services.

  • smart city challenge

    AI-based traffic management improves mobility, saves fuel, cuts pollution

    Researchers are developing a dynamic feedback traffic signal control system that reduces corridor-level fuel consumption by 20% while maintaining a safe and efficient transportation environment.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.