What You Need to Know about FIPS 140-2, OpenSSL, and the new IG Requirement

You may have heard about the new interpretation of the mandatory requirement in Section 9.5 of the Implementation Guidance (IG) document, a key component of FIPS 140-2 documentation issued by the Cryptographic Module Validation Program (CMVP). This interpretation is causing conflicts with the architecture of the OpenSSL validations and how OpenSSL’s validation applies to customers using their software.

The new IG requirement interpretation requires that none of the function calls in the OpenSSL cryptographic library return useful information until after FIPS-required POST tests are performed. It also requires that this restriction be enforced in the cryptographic library itself, and not simply stated as a condition to be satisfied by the calling application.

According to OpenSSL, this new interpretation mandates some very disruptive changes to software libraries like the OpenSSL FIPS Object Module and those derived from it, which affects a great many commercial product validations. How disruptive? Until OpenSSL has more clarity on this issue they are not accepting new private label validations, and they’re trying to determine how to save those already in progress.

Although they don’t expect that a new FIPS module that satisfies this new requirement will become available any time soon, or an accompanying “FIPS-capable” OpenSSL, the good news is that the existing OpenSSL FIPS Object Module 2.0 (2.0 FIPS module) Validation Certificate #1747 is  not affected by this new requirement and will still be available as a validated cryptographic module. Will they pursue additional validations? OpenSSL feels that the new interpretation will mean that any new open-source based validation for them can be expected to take a minimum of 18 months or so. And that’s if they can find funding to pursue additional validations. They are currently pessimistic at best as to whether they will pursue these additional validation efforts.

We have read OpenSSL’s FAQ, and completely understand their frustrations and issues. However, a major limitation lies in the fact that validations are in fact time-consuming and expensive, and non-commercial efforts often must decrease the number of resources applied to their efforts. With their current architecture, resources, and history, OpenSSL feels that they do not have better options.

That’s where Corsec can help. The CMVP is working with other validations, labs, and vendors on how these guidelines are interpreted and when they are applied. Corsec can help you to assess what options are available, whether small change can allow a validation to progress, and the best method to attain your validation efficiently and quickly. We offer our customers reasonably priced options that will meet your business needs.

Who’s To Blame? Not Us.

Since Corsec has done a considerable amount of work with OpenSSL validations, we’ve been asked if we somehow created this problem between OpenSSL and CMVP.


We have a very high regard for the wonderful folks at the OpenSSL project and the code they offer and support. However, Corsec did not author any part of the OpenSSL code, nor did we architect any of OpenSSL’s validation efforts, nor were we involved in the CMVP validation of the OpenSSL Project.

We applaud the OpenSSL Project for all their hard work over the years, of which Corsec customers are the beneficiaries. However, Corsec has had to help many of our commercial customers to validate their products despite the challenges inherent in the architecture of OpenSSL validations. This architecture differs sharply from and is separate from the architecture of validations performed by Corsec on behalf of our customers.

We also have the highest respect for the folks at CMVP. Despite having very limited resources and having to operate within multiple government bureaucracies, the FIPS 140-2 testing program has enjoyed more longevity, been more commercially responsive, more widely adopted, and has validated more products than just about any other government testing program ever.

However, navigating FIPS 140-2 involves working with two government agencies that coordinate cryptographic module testing and algorithm testing against dozens of standards through twenty or so testing laboratories. It’s ever-changing, time-consuming and often riddled with red tape.

That said, Corsec has been working successfully with CMVP and the testing lab for decades. We will work with you to minimize your issues and help you avoid landmines, because we know the folks at both the OpenSSL and the CMVP really well. We’ll help you achieve your FIPS 140-2 validation faster, cheaper and with far less hassle than if you go it alone.

Have questions? Contact us and speak with a Business Development Manager, who’ll be happy to discuss your particular situation.


Leave a Comment