The Open Source Software Institute (OSSI) announced today the FIPS 140-2 re-validation of the OpenSSL FIPS Object Module, a cryptographic library based on the widely used OpenSSL product. The official validation certificate (#733) is now posted at the NIST FIPS 140-1 and 140-2 Cryptographic Modules Validation List (opens in new tab).
The OpenSSL FIPS Object Module is freely available for download here. The OpenSSL FIPS Object Module Security Policy and User Guide are also available for download through the OSSI website (opens in new tab) and may be used and reproduced without restriction.
"The OpenSSL FIPS Object Module is CMVP-validated software, paid for by DoD and corporate sponsors, and is now available at no additional cost for government and other entities to acquire and implement," said OSSI executive director John Weathersby. "By once again securing FIPS 140 validation for the OpenSSL Object Module, we've helped to demonstrate the validity and durability of the open source development model, even within the most stringent confines of the government Information Assurance (IA) validation process."
OpenSSL is an open source library that provides cryptographic functionality to applications such as secure web servers. The Cryptographic Module Validation Program (CMVP), a joint effort between the U.S. National Institute of Standards and Technology (NIST) and the Canadian Communications Security Establishment (CSE), validates cryptographic modules to Federal Information Processing Standards (FIPS) 140-2 and other cryptography-based standards.
"This validation is a first," noted Steve Marquess, the OSSI technical project manager for this effort. "Government programs, and the commercial vendors supplying those programs, now have access to a validated cryptographic library supporting the very popular OpenSSL API without the delays and expense of separate FIPS 140-2 validations for each and every application."
The FIPS validated OpenSSL Cryptographic Module v1.1.1 is defined as a specific discrete unit of binary object code generated from a specific OpenSSL source distribution. This source distribution is compiled to create a library that is used to provide a cryptographic API (Application Programming Interface) to external applications, and is compatible with a wide variety of hardware and operating system platforms.