OpenSSL Receives FIPS 140-2 Validation

Argon writes "Close on heals of NewsForge reporting about Government Agency dragging its heels on OpenSSL validation comes the news that OpenSSL receives FIPS Certification. More details are available at the Open Source Institute site which has been driving the effort to get OpenSSL certified. FIPS 140-2 certification allows software using the certified version of OpenSSL to get into various Government departments previously not possible, thus increasing penetration of Free Software in Government."

"Pending" for 2 weeks

[nealmcb]

Congrats and thanks to the team - I can only imagine what a struggle this has been.

From http://www.oss-institute.org/

    Two points to remember please: a) the validation is still considered
    "pending" until it is posted on the NIST site...in no more than 2
    weeks from the announcement date -- NIST official protocol, and b)
    the validation does not immediately solve all FIPS 140-2 compliance
    issues.

The big thing available now is "OpenSSL Security Policy Version 1.0"
    http://oss-institute.org/images/OpenSSL_SecurityPo licy_FINAL.pdf

      This document is required as a part of the FIPS 140-2 validation
      process. It describes the OpenSSL FIPS cryptographic module in
      relation to FIPS 140-2 requirements. The companion document
      OpenSSL FIPS 140-2 User Guide (Reference 14)is a technical
      reference for developers using, and system administrators
      installing, the OpenSSL FIPS software, for use in risk assessment
      reviews by security auditors, and as a summary and overview for
      program managers.

The "validated OpenSSL USER GUIDE" will be available within two weeks
of the announcement date.

No sign yet of OpenSSL 0.9.7j on the openssl site.

There is an email list available for updates:

  http://mail.oss-institute.org/mailman/listinfo/fip s-nist-update_oss-institute.org