OpenSSL loses FIPS certification
The National Institute of Standards and Technology has revoked certification of the open-source encryption tool OpenSSL under the Federal Information Processing Standard.
OpenSSL in January became one of the first open-source software products to be validated under NIST’s Computer Module Validation Program for FIPS-140-2. The certificate apparently was suspended in June when questions were raised about the validated module’s interaction with outside software elements.
The revocation caught the Open Source Software Institute, which shepherded the module through the validation process, by surprise.
“I am discouraged with what appears to be another change after certification has been awarded,” said executive director John Weathersby. “It is disheartening after three-and-a-half years of work to have the certification pulled twice for reasons not clear to us.”