Details

    • 10.2.13

    Description

      Hello,

      On Fedora 27, if you install 'dracut-fips' package, MariaDB server won't start with folowing explanation:

      mysql-prepare-db-dir[17281]: 2017-12-04  8:24:26 140228227141056 [ERROR] Incompatible OpenSSL version. Cannot continue...
      

      it calls CRYPTO_set_mem_functions() from libcrypto.so, which returns 0 here:

      ┌──crypto/mem.c──────────────────────
      │39          if (!allow_customize)
      │40              return 0;         
      

      And that's the issue.
      Package 'dracut-fips' will cause, that in libcrypto constructor FIPS self-tests must be called. FIPS self-test calls allocations and that's why the allocation function cannot be altered.

      The same state should be achieved in FIPS mode, although so far I talked about installed 'dracut-fips' package, but still disabled FIPS mode.

      Attachments

        Activity

          Yes. This is basically, a FIPS bug — as far as I understand, Ubuntu fixed it here: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1594748 (although it looks like they've simply removed some FIPS patches).

          I'm not quite sure what we can do about it. I can disable the OpenSSL compatibility check if FIPS mode is enabled. Meaning if next OpenSSL release changes sizes of its internal structures, we won't notices it in FIPS mode and the server might crash instead of failing to start. The chance of this happening is not very high, normally we would've tried the server on a non-FIPS version of OpenSSL by then and adjusted the buffers.

          serg Sergei Golubchik added a comment - Yes. This is basically, a FIPS bug — as far as I understand, Ubuntu fixed it here: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1594748 (although it looks like they've simply removed some FIPS patches). I'm not quite sure what we can do about it. I can disable the OpenSSL compatibility check if FIPS mode is enabled. Meaning if next OpenSSL release changes sizes of its internal structures, we won't notices it in FIPS mode and the server might crash instead of failing to start. The chance of this happening is not very high, normally we would've tried the server on a non-FIPS version of OpenSSL by then and adjusted the buffers.

          Setting to Confirmed based on the comment above.

          elenst Elena Stepanova added a comment - Setting to Confirmed based on the comment above.
          danblack Daniel Black added a comment -

          One byte fix as per PR. Details in commit message.

          danblack Daniel Black added a comment - One byte fix as per PR. Details in commit message.

          People

            serg Sergei Golubchik
            mschorm Michal Schorm
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.