Status of OpenSSL FIPS certification shifts again

The National Institute of Standards and Technology apparently has backtracked on its revocation of OpenSSL certification under the Federal Information Processing Standard.

OpenSSL, which is managed by the Open Source Software Institute in Hattiesburg, Miss., in January became one of the first open-source software products to be validated under NIST's Computer Module Validation Program for FIPS 140-2. Since then, the certificate has been suspended, then apparently revoked; on Tuesday it was placed back into suspension.

OSSI executive director John Weathersby said he was informed by his third-party certification testing lab that the revocation had been a mistake by NIST.

NIST officials were not available for comment. FIPS certificate 642, which could not be accessed on the CMVP Web site Monday, was back in place Tuesday afternoon, although it still was marked 'not available,' which means it is not now valid.

If a validation certificate is marked 'not available,' the module is no longer available for procurement, but may still be retained and used to demonstrate compliance to FIPS 140-1 or FIPS 140-2.

OpenSSL is an open-source version of Secure Sockets Layer encryption that can be used by browsers and other programs to securely exchange data. The certification is critical to government use of the software, because FIPS 140-2 validation is required for cryptographic products protecting unclassified but sensitive data.

The suspension took place in June, when questions were raised about the cryptographic module's interaction with software elements outside the certified module. Weathersby said the problems have been corrected and the workaround submitted to the certifying laboratory, Domus IT Security Laboratory of Ottawa, for re-evaluation.

Weathersby said the results of the re-evaluation would be submitted to CMVP for a final review and reinstatement of the certificate.

NIST does not explain CMVP certificate suspensions because the information may be proprietary. But CMVP supervisor Randy Easter said in a written statement that if critical problems are found, agencies would be notified to cease using the module.

NIST does not appear to have issued such a notice with regard to OpenSSL.

About the Author

William Jackson is a Maryland-based freelance writer.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected