OpenSSL 3.1.2: FIPS 140-3 Validated

Mar 11, 2025

The OpenSSL Corporation is pleased to announce that OpenSSL version 3.1.2 has achieved FIPS 140-3 validation, signifying its compliance with the rigorous cryptographic module security requirements set forth by the National Institute of Standards and Technology (NIST). This accomplishment marks a significant milestone in reinforcing trusted, standards-based encryption for organizations operating in regulated environments, including government agencies, healthcare institutions, and financial services.

OpenSSL 3.1.2 FIPS Provider holds certificate #4985, which remains valid for five years and expires on March 10, 2030

The OpenSSL Project initiated the OpenSSL 3.1.2 FIPS Provider validation in 2022, achieving certification under the latest Federal Information Processing Standards. This module expands cryptographic algorithm support, providing enhanced security for users requiring up-to-date protections.

Building on Prior Variations

• Established Track Record: The OpenSSL 3.1.2 FIPS module joins the two previous modules already listed as validated by NIST, underscoring the OpenSSL Project’s commitment to maintaining cryptographic standards
  • Certificate #4811
  • Certificate #4282
• Extended algorithm coverage: This release incorporates newly validated algorithms that expand on those covered by earlier modules, ensuring a more comprehensive approach to encryption

Overview of the FIPS 140-3 Validation Process

FIPS 140-3 (Federal Information Processing Standards Publication 140-3) outlines a comprehensive testing and certification program for cryptographic modules. Achieving compliance requires:

1. Accredited Laboratory Testing
   A recognized third-party lab conducts exhaustive examinations of the cryptographic module’s design, documentation, and implementation.
2. Reviewed by NIST using Cryptographic Module Validation Program (CMVP)
3. Certificate Issuance
   After final approval, NIST issues a FIPS 140-3 certificate, confirming the module’s compliance and authorizing its official listing on the NIST validation website.

Ensuring Compliance & Compatibility Across OpenSSL 3.x

With OpenSSL 3.1.2 now validated, users can confidently integrate this module into their systems, ensuring adherence to the most up-to-date cryptographic standards. This module is compatible with any version of OpenSSL 3.0, 3.1, 3.2, 3.3, 3.4 and future 3.5.

Key Benefits of FIPS 140-3 Compliance

1. Verified Cryptographic Compliance
   Certification confirms that the module meets baseline security and operational requirements for cryptographic operations.
2. Regulatory Support
   Many government and industry regulations mandate the use of validated cryptographic modules, simplifying compliance efforts for regulated entities.
3. Alignment with Updated Standards
   By meeting the latest FIPS criteria, the module ensures conformance with current guidelines.
4. Broad Industry Acceptance
   The OpenSSL Library is widely adopted, and FIPS 140-3 validation assures diverse user groups that they are deploying a recognized, standards-compliant cryptographic library.

Implementation and Next Steps

Organizations seeking to maintain compliance can now deploy OpenSSL 3.1.2 with confidence in its FIPS 140-3 – validated status. To facilitate a smooth transition, consider the following actions:

• Review Existing Deployments: Identify any legacy cryptographic modules that may require updates or replacements.
• Consult Documentation: The OpenSSL Library documentation outlines the necessary steps to configure and use the FIPS module.
• Engage Technical Support: The OpenSSL Corporation offers expert assistance, providing guidance and tailored support plans to facilitate the integration of the FIPS 140-3 module within existing infrastructures. This support mitigates migration risks and contributes to ensuring timely compliance deployment.
• Leverage FIPS Rebranding Services: The OpenSSL Corporation’s FIPS rebranding program enables organizations to acquire a FIPS 140-3 module validation under their own product or corporate identity. Once rebranded, the customer can add additional operational environments and perform additional testing and revalidation using a FIPS testing lab. This offering streamlines compliance, simplifies regulatory approvals, and provides a seamless branding experience while preserving the full benefits of the validated cryptographic module.

Thank You to the Community

The OpenSSL Corporation team extends its thanks to the NIST CMVP, and the broader community for their contributions and engagement throughout this process. OpenSSL 3.1.2, now FIPS 140-3 validated, enables organizations worldwide to secure sensitive data and communications while meeting regulatory requirements.

To stay apprised of future releases, updates, and best practices:

• Visit the OpenSSL Corporation Blog for announcements and join the technical discussions in GitHub and OpenSSL Communities website.
• Consult the NIST CMVP Validation List to verify active FIPS certificates.