Oracle, SafeLogic and OpenSSL Join Forces to Update FIPS Module

Oracle, OpenSSL and SafeLogic are investing in developing the next-generation open source OpenSSL 1.1 FIPS 140-2 module, and have called for others to join the effort. OpenSSL is a widely used and respected cryptographic library that protects data transfers across computer networks. 

Oracle has made a $50,000 seed investment to start the project.

OpenSSL gained widespread attention in 2014 with the discovery of the Heartbleed bug, a security flaw that could allow a remote attacker to retrieve private memory of an application that uses the OpenSSL library in chunks of 64k at a time. While the vulnerability was subsequently fixed, the event served as a wake-up call about the need for participation, support, and funding for OpenSSL and other heavily used open source software.

According to the companies, the current FIPS module for OpenSSL has not had a significant upgrade since 2012, while encryption standards have evolved significantly.

In addition to the $50,000 seed investment to start the project, Oracle will make an additional investment of $50,000, based on the progress of the effort.

Ensuring that OpenSSL maintains an up-to-date FIPS implementation is critical to helping maintain the security posture of sensitive data on government systems and the continuous safety of millions of transactions performed daily, said Jim Wright, chief architect, Open Source Policy, Strategy, Compliance and Alliances at Oracle. Oracle is also encouraging other software vendors to join the project to help deliver a free, open source FIPS module.

In addition to working closely with the OpenSSL Foundation’s team, Oracle and SafeLogic have worked closely on both investments in and the project framework of this effort.

SafeLogic has been actively working with OpenSSL on this project since July 2016.

Efforts are already in progress on the initial stage of designing a new module to accommodate the many changes in FIPS 140 validations over the past 5 years, said Steve Marquess, president of OpenSSL Validation Services, Inc., who noted that with a few more partners from the community, the project will be on its way toward a complete FIPS 140-2 solution for OpenSSL releases 1.1 and later.

Other sponsors with a vested interest can get in touch with SafeLogic to arrange their own donations, as it is administering contributions to directly fund both the hard and soft costs of the OpenSSL 1.1 FIPS Module project, noted Ray Potter, CEO of SafeLogic, a company that provides strong encryption products for solutions in mobile, server, cloud, appliance, wearable, and IoT environments.

For more information about the project, how to contribute or the future roadmap, organizations can contact