[MDEV-14567] MariaDB won't work in FIPS mode Created: 2017-12-04 Updated: 2018-02-07 Resolved: 2018-02-07 |
|
| Status: | Closed |
| Project: | MariaDB Server |
| Component/s: | Server, SSL |
| Affects Version/s: | 10.2 |
| Fix Version/s: | 10.2.13 |
| Type: | Bug | Priority: | Critical |
| Reporter: | Michal Schorm | Assignee: | Sergei Golubchik |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | contribution, foundation | ||
| Environment: |
Fedora 27 |
||
| Sprint: | 10.2.13 |
| Description |
|
Hello, On Fedora 27, if you install 'dracut-fips' package, MariaDB server won't start with folowing explanation:
it calls CRYPTO_set_mem_functions() from libcrypto.so, which returns 0 here:
And that's the issue. — The same state should be achieved in FIPS mode, although so far I talked about installed 'dracut-fips' package, but still disabled FIPS mode. |
| Comments |
| Comment by Sergei Golubchik [ 2017-12-04 ] |
|
Yes. This is basically, a FIPS bug — as far as I understand, Ubuntu fixed it here: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1594748 (although it looks like they've simply removed some FIPS patches). I'm not quite sure what we can do about it. I can disable the OpenSSL compatibility check if FIPS mode is enabled. Meaning if next OpenSSL release changes sizes of its internal structures, we won't notices it in FIPS mode and the server might crash instead of failing to start. The chance of this happening is not very high, normally we would've tried the server on a non-FIPS version of OpenSSL by then and adjusted the buffers. |
| Comment by Elena Stepanova [ 2017-12-16 ] |
|
Setting to Confirmed based on the comment above. |
| Comment by Daniel Black [ 2018-02-04 ] |
|
One byte fix as per PR. Details in commit message. |