March 20, 2007

Compatibility Upgrade for FIPS OpenSSL (0.9.8)

jmw writes "OSSI Announces Compatibility Upgrade for FIPS Validated OpenSSL Object Module

Washington, DC – March 19, 2007 - The Open Source Software Institute ( announced today plans to upgrade the FIPS validated OpenSSL Object Module to provide compatibility with the current, publicly-available 0.9.8 version of OpenSSL. The compatibility upgrade is part of the recently announced OpenCrypto Management Program, which is sponsored through the DoD Open Technology Development roadmap initiative.

“Due to the substantial API (application programming interface) changes between the initial FIPS validated OpenSSL 0.9.7 version and most current 0.9.8 version, this upgrade was an important step that we wanted to address immediately,” said OSSI program technical lead, Steve Marquess. “The OpenSSL team plans to merge the FIPS specific code into the current version as soon as possible and OSSI will use this 0.9.8 code base for the next rounds of FIPS 140-2 validations.”

As defined in the OpenCrypto Management Program, OSSI will use the most current available version of OpenSSL to develop and support a “Rolling Validation” for the OpenSSL as a binary module. On a rotating basis, estimated at every six to nine months, the OSSI and OpenSSL team will submit an updated version for another validation. These rolling validations are designed to address vendor concerns with the schedule uncertainties experienced with the initial open source-based validation.

“Prospective end users can use the specific binaries that were validated, if they happen to be suitable as-is. If not, OSSI will, in collaboration with the OpenSSL team, build a binary for the desired platform, where technically possible” said OSSI technical project manager Steve Marquess. “Under a CMVP process known as "vendor affirmation" (CMVP Implementation Guidance, section G.5) that binary, as delivered to the end user, will satisfy the requirements for a FIPS 140-2 validated module.

“For non-U.S. DoD end users there will be a one-time charge calculated on a cost-recovery basis,” he said.

The only such validated foundation currently available is the one for certificate #733, circa 0.9.7j, which end users can build from source themselves. The next open source validation based on more current source will not be available for minimum of six months.

For additional information on the OpenCrypto Management Program or the Rolling Validation project, please contact John Weathersby at

About OSSI
The Open Source Software Institute ( is a U.S.-based non-profit organization whose mission is to promote the development and implementation of open source software solutions within U.S. Federal, state and municipal government agencies. For additional information, please visit the OSSI website at

About OpenSSL
The OpenSSL Project ( is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.

# # #"


Click Here!