Two years after Heartbleed, an improved OpenSSL aims for government approval

When the Heartbleed bug was discovered in 2014, federal agencies reported no significant fallout from the OpenSSL vulnerabilities on government websites. But as that vital open-source software library has been revised and strengthened in the two years since, a different problem has emerged:  the newer, more secure OpenSSL 1.1 lacks a critical federal validation for cryptographic software.

Using it in federal systems, in fact, would be against the law.

At issue is FIPS 140-2 -- a standard set by the National Institute of Standards and Technology and its Canadian counterpart.  All federal cryptographic-based security systems that involve sensitive information must be FIPS 140-2 compliant.  And as the OpenSSL project's Steve Marquess explained in a September 2015 blog post, OpenSSL 1.1 was restructured so dramatically that new validation was needed.

That validation effort is a long and costly project, and Marquess warned at the time that without government sponsorship, OpenSSL 1.1 could be without a valid FIPS module for the foreseeable future.

On July 20, however, Marquess and SafeLogic founding CEO Ray Potter announced that SafeLogic would sponsor the FIPS validation.   "With changes over the last few years," Potter wrote in blog post explaining the decision, "the viability of legacy OpenSSL FIPS module validations have been repeatedly threatened, and the crypto community simply cannot accept the possibility of being without a certificate."

SafeLogic, a four-year-old Palo Alto, Calif., company that both offers proprietary encryption solutions and does FIPS validation for other products, will sponsor the engineering work on the FIPS module and then handle the validation effort.  Acumen Security will be the testing laboratory, and the engineering itself will be done by the OpenSSL project.

Potter told FCW's sister publication, GCN, that the validation effort should avert an uncomfortable compliance bind that was looming.   

“It’s crucial to note that [Transport Layer Security Protocol Version 1.3] has made significant privacy and security improvements over TLS 1.2 and will soon be mandatory for DOD and other federal agencies," he said. "Of course, the catch is that TLS 1.3 is not compatible with previous versions of OpenSSL, so the migration to OpenSSL 1.1 will also be mandatory by proxy. This would have been the perfect storm in which the government would have been unable to comply with their own requirements if this project hadn’t commenced."

None of the parties would offer a target date for completing the validation and making OpenSSL 1.1 an option for government users.  Marquess, a former president of the OpenSSL Software Foundation who now heads OpenSSL Validation Services, had previously said the process could take two years or more, but SafeLogic officials told GCN they were confident validation would come "long before that."

This article first appeared on GCN, a sister site to FCW.

Note: This article was updated on July 22 to correct Steve Marquess' professional affiliations.