[MDEV-14567] MariaDB won't work in FIPS mode - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.2(EOL)
Fix Version/s: 10.2.13
Component/s: Server, SSL
Labels:
- contribution
- foundation
Environment:
Fedora 27
package 'dracut-fips' installed

Sprint:
10.2.13

Description

Hello,

On Fedora 27, if you install 'dracut-fips' package, MariaDB server won't start with folowing explanation:

mysql-prepare-db-dir[17281]: 2017-12-04  8:24:26 140228227141056 [ERROR] Incompatible OpenSSL version. Cannot continue...

it calls CRYPTO_set_mem_functions() from libcrypto.so, which returns 0 here:

┌──crypto/mem.c──────────────────────

│39          if (!allow_customize)

│40              return 0;

And that's the issue.
Package 'dracut-fips' will cause, that in libcrypto constructor FIPS self-tests must be called. FIPS self-test calls allocations and that's why the allocation function cannot be altered.

—

The same state should be achieved in FIPS mode, although so far I talked about installed 'dracut-fips' package, but still disabled FIPS mode.

Attachments

Activity

People

Assignee:: Sergei Golubchik

Reporter:: Michal Schorm

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2017-12-04 15:24

Updated:: 2018-02-07 10:46

Resolved:: 2018-02-07 10:46

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.