Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Fixed
-
10.2(EOL)
-
Fedora 27
package 'dracut-fips' installed
-
10.2.13
Description
Hello,
On Fedora 27, if you install 'dracut-fips' package, MariaDB server won't start with folowing explanation:
mysql-prepare-db-dir[17281]: 2017-12-04 8:24:26 140228227141056 [ERROR] Incompatible OpenSSL version. Cannot continue... |
it calls CRYPTO_set_mem_functions() from libcrypto.so, which returns 0 here:
┌──crypto/mem.c──────────────────────
|
│39 if (!allow_customize) |
│40 return 0; |
And that's the issue.
Package 'dracut-fips' will cause, that in libcrypto constructor FIPS self-tests must be called. FIPS self-test calls allocations and that's why the allocation function cannot be altered.
—
The same state should be achieved in FIPS mode, although so far I talked about installed 'dracut-fips' package, but still disabled FIPS mode.
Yes. This is basically, a FIPS bug — as far as I understand, Ubuntu fixed it here: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1594748 (although it looks like they've simply removed some FIPS patches).
I'm not quite sure what we can do about it. I can disable the OpenSSL compatibility check if FIPS mode is enabled. Meaning if next OpenSSL release changes sizes of its internal structures, we won't notices it in FIPS mode and the server might crash instead of failing to start. The chance of this happening is not very high, normally we would've tried the server on a non-FIPS version of OpenSSL by then and adjusted the buffers.