In March of 2006 Open SSL was certified FIPS 140-2 compliant, In July of 2006, the FIPS validation was suspended due to library calls in the cryptographic functions that were outside of the boundaries described in the evaluation submission, yes it was basically a clerical error.
Certified, then revoked, then labled as just suspended, and now finally after half a decade it is finally certified, again – from Linuxworld (here)
In the security industry most vendors have to deal with FIPS and Common Criteria, they are both a nightmare of documentation madness. How exactly does an organization balance product innovation (which according to the security blogbubble is in short supply) with the seemingly endless beauracracy that surrounds these certifications, which also require resubmission for substantitive changes to the systems. The first time I went through common criteria we were 2 major versions ahead of what we had submitted some 16 months prior through SAIC for EAL-3 CC, of course it has dramatically increased the number of vendors that use point releases to include major functional changes, but that is a bit disingenuous and defeats the purpose, no?