Status of OpenSSL FIPS certification shifts again

The National Institute of Standards and Technology apparently has backtracked on its revocation of OpenSSL certification under the Federal Information Processing Standard.

OpenSSL, which is managed by the Open Source Software Institute in Hattiesburg, Miss., in January became one of the first open-source software products to be validated under NIST's Computer Module Validation Program for FIPS 140-2. Since then, the certificate has been suspended, then apparently revoked; on Tuesday it was placed back into suspension.

OSSI executive director John Weathersby said he was informed by his third-party certification testing lab that the revocation had been a mistake by NIST.

NIST officials were not available for comment. FIPS certificate 642, which could not be accessed on the CMVP Web site Monday, was back in place Tuesday afternoon, although it still was marked 'not available,' which means it is not now valid.

If a validation certificate is marked 'not available,' the module is no longer available for procurement, but may still be retained and used to demonstrate compliance to FIPS 140-1 or FIPS 140-2.

OpenSSL is an open-source version of Secure Sockets Layer encryption that can be used by browsers and other programs to securely exchange data. The certification is critical to government use of the software, because FIPS 140-2 validation is required for cryptographic products protecting unclassified but sensitive data.

The suspension took place in June, when questions were raised about the cryptographic module's interaction with software elements outside the certified module. Weathersby said the problems have been corrected and the workaround submitted to the certifying laboratory, Domus IT Security Laboratory of Ottawa, for re-evaluation.

Weathersby said the results of the re-evaluation would be submitted to CMVP for a final review and reinstatement of the certificate.

NIST does not explain CMVP certificate suspensions because the information may be proprietary. But CMVP supervisor Randy Easter said in a written statement that if critical problems are found, agencies would be notified to cease using the module.

NIST does not appear to have issued such a notice with regard to OpenSSL.

About the Author

William Jackson is a Maryland-based freelance writer.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected