Details
-
Task
-
Status: Verified (View Workflow)
-
Major
-
Resolution: Unresolved
-
BB v1.08
Description
Scope
This task covers the following builders available at https://buildbot.mariadb.net:
- openssl3-fips-debug
- openssl3-nofips-debug
The goals of these builders is to ensure MariaDB is compatible with OpenSSL3, without actually providing any end user binaries.
Details
The steps required by this builder:
1. Fetch tarball
2. Compile with openssl3 library 3.0.9 (latest that is FIPS certified, according to https://openssl-library.org/source/)
- -DWITH_SSL=<path-to-openssl3>
- -DCMAKE_BUILD_TYPE=Debug
- -DWITH_DBUG_TRACE=OFF
- No need to compile extra storage engines RocksDB, Sphinx, Spider, Moroonga, FederatedX, Federated, Connect
3. Ensure OpenSSL3 is dynamically linked to mariadbd and mariadb
- This can be a test step. Output or readelf / ldd should show
- libcrypto.so.3 <some-path-to>/openssl3/lib64/libcrypto.so.3
4. Ensure the latest galera is installed on the system.
- TODO: clarify exact galera requirements. Some tests in step 5 include galera.
5. Run the following tests with fips enabled openssl3:
- All tests that match the pattern *ssl*.test
- All tests that have as part of their content match one of the following:
encode|des_encrypt|aes_encrypt|md5|sha[12] - All tests from encryption and plugin suite
- NOTE: If resources allow, we could just run all tests.
- openssl.cnf file contents are:
# Toplevel section for openssl (including libssl)
|
openssl_conf = default_conf_section
|
|
|
[default_conf_section]
|
providers = provider_sect
|
# We only specify configuration for the "ssl module"
|
ssl_conf = ssl_section
|
alg_section = algorithm_sect
|
|
|
[ssl_section]
|
system_default = system_default_section
|
|
|
[system_default_section]
|
CipherString = ALL:@SECLEVEL=0
|
|
|
[provider_sect]
|
fips = fips_sect
|
default = default_sect
|
|
|
[default_sect]
|
activate = 1
|
|
|
[algorithm_sect]
|
default_properties = fips=yes
|
.include /home/buildbot/openssl3/fipsmodule.cnf
|
6. Run the same tests with fips disabled openssl3 (change openssl.cfg):
# Toplevel section for openssl (including libssl)
|
openssl_conf = default_conf_section
|
|
|
[default_conf_section]
|
# We only specify configuration for the "ssl module"
|
ssl_conf = ssl_section
|
|
|
[ssl_section]
|
system_default = system_default_section
|
|
|
[system_default_section]
|
CipherString = ALL:@SECLEVEL=0
|
TODO:
The openssl3-nofips-debug builder in https://buildbot.mariadb.net only seems to run step 6 from above, without any other changes.
Perhaps this is an oversight which means we do not need 2 different builders.
Attachments
Issue Links
- is blocked by
-
MDEV-37209 mtr galera_3nodes.galera_garbd_backup test failures
-
- Open
-
-
-
- Open
-
- relates to
-
-
- Closed
-
