Details
-
New Feature
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Won't Fix
Description
MySQL 8.0 added the ssl_fips_mode system variable, which allows MySQL to run in FIPS mode:
ssl_fips_mode
Property Value
Command-Line Format --ssl-fips-mode=Unknown macro: {OFF|ON|STRICT}Introduced 8.0.11
System Variable ssl_fips_mode
Scope Global
Dynamic Yes
SET_VAR Hint Applies No
Type Enumeration
Default Value OFF
Valid Values
OFF (or 0)ON (or 1)
STRICT (or 2)
Controls whether to enable FIPS mode on the server side. The ssl_fips_mode system variable differs from other --ssl-xxx options in that it is not used to control whether the server permits encrypted connections, but rather to affect which cryptographic operations are permitted. See Section 6.5, “FIPS Support”.
These ssl_fips_mode values are permitted:
OFF (or 0): Disable FIPS mode.
ON (or 1): Enable FIPS mode.
STRICT (or 2): Enable “strict” FIPS mode.
https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_ssl_fips_mode
https://dev.mysql.com/doc/refman/8.0/en/fips-mode.html
Currently, to use FIPS mode in MariaDB, you have to enable it at the kernel level by following a process like the ones listed here:
Should we port ssl_fips_mode from MySQL, so our users can enable FIPS mode without changing kernel parameters?
Relevant MySQL commits:
https://github.com/mysql/mysql-server/commit/bc4036a6bb148c340aa37b583be5ef3b696f8d9c
https://github.com/mysql/mysql-server/commit/72ea3f61675033e16a0d13651b67695b85d88824
Attachments
Issue Links
- is blocked by
-
MDEV-27729 test with FIPS mode in buildbot
-
- Closed
-
- relates to
-
-
- Closed
-
Activity
Backporting has already been done in CentOS and Debian, so submitted that patch for 10.6 in https://github.com/MariaDB/server/pull/2036
serg What are the next steps on this? If somebody had extra time on their hands, what should they do? Do you want to have a design/planning meeting or is the implementation basically just to copy the flag from MySQL, and make it so that ssl-fips-mode=on errors out if the server detects that MariaDB was not compiled with OpenSSL 3.0?
At the moment we have fips tests running in buildbot, with openssl-1.0.2 and with openssl-3.0, see MDEV-27729 for details.
As for the ssl-fips-mode, I'm not sure it'll be very helpful. There're lots of OpenSSL aspects one can configure, they all can be configured in a config file and with OPENSSL_CONF one can use a dedicated config file that will only apply to MariaDB. One can enable fips mode that way (our tests do that), but also everything else OpenSSL related. Singling out just one particular openssl setting and creating a MariaDB option for it doesn't look very logical to me. Why not to create an option for the security level, for example? or for protocols? or for tsl1.3 ciphers?
I think it's reasonable to be able to configure anything OpenSSL related, and do it in a separate file using the well known and documented syntax. And not to duplicate arbitrary selected small bits of OpenSSL config in the my.cnf file.
MySQL has actually deprecated ssl_fips_mode in favor of OpenSSL side configuration starting with MySQL 8.0.34
Yes. It's disabled before 10.8 because these builds crash (see numerous linked bug reports).
It is quite possible that we'll backport 10.8 OpenSSL 3.0 patches to earlier versions eventually.