What would be a benefit of using it now, when MDEV-14101 is implemented?

One example is that an OpenSSL configuration file could be used to enable FIPS mode if we decide not to implement MDEV-20260.

I'm not sure what other benefits there would be. Selecting ciphers and algorithms can be done with the ssl_cipher system variable, so I don't think OpenSSL configuration files are needed for that.

The syntax of OpenSSL configuration files seems a bit convoluted, so it is difficult to determine what they can be used for beyond the basics.

If you want to use another configuration file, just set the environment variable OPENSSL_CONF which points to a different configuration file.

georg,

I don't think MariaDB currently supports reading any OpenSSL configuration file--including the standard configuration file or the configuration file defined by OPENSSL_CONF. With OpenSSL, support for configuration files appears to be optional. It seems to only be enabled if the application calls the OPENSSL_config() function or if the application is compiled with OPENSSL_LOAD_CONF defined. From the OpenSSL documentation:

OPENSSL_config() configures OpenSSL using the standard openssl.cnf and reads from the application section appname. If appname is NULL then the default section, openssl_conf, will be used. Errors are silently ignored. Multiple calls have no effect.

OPENSSL_no_config() disables configuration. If called before OPENSSL_config() no configuration takes place.

If the application is built with OPENSSL_LOAD_CONF defined, then a call to OpenSSL_add_all_algorithms() will implicitly call OPENSSL_config() first.

As far as I can tell, MariaDB isn't calling the OPENSSL_config() function or defining OPENSSL_LOAD_CONF at compile time.

Just to confirm, I did a test with strace, and my test shows that MariaDB is not trying to load the OpenSSL configuration file.

For example, first start the server with strace:

sudo mkdir strace

cd strace/

sudo nohup strace -o./strace.out -ff mysqld --user=mysql &

And then check the resulting strace output to see if openssl.cnf is referenced:

sudo grep "openssl" ./strace.out*

It does not return any results.

This is strange. What OpenSSL version did you use?

Because when I set OPENSSL_CONF, I clearly see that it has effect. And both server and client do read it, as strace shows. At least on OpenSSL 1.1.1

I think I performed my previous test on RHEL 7, so it would have been using OpenSSL 1.0.2.

I didn't try that myself, but buildbot did, with 1.0.1k, for example, on debian jessie: https://buildbot.askmonty.org/buildbot/builders/kvm-deb-jessie-amd64/builds/8984 — this build failed tests, because I made mtr to set OPENSSL_CONF to a file that OpenSSL 1.0.1k could not parse (I was trying to fix an ubuntu focal problem, so in the next push I amended the commit to only use that file on OpenSSL 1.1.1+).

Hi serg,

Maybe I wasn't able to reproduce it previously due to user error. I don't remember how I performed the test, and I can't really try to repeat the test at the moment. Please feel free to close this task if you have already confirmed that OpenSSL configuration files are supported. Thanks!

I think https://github.com/MariaDB/server/commit/15502e5e3334 confirms it, so closing.