Bug #97662 MySQL v8.0.18 FIPS mode is no longer supported
Submitted: 15 Nov 2019 19:56 Modified: 4 Feb 2020 17:20
Reporter: Ryan L Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Compiling Severity:S2 (Serious)
Version:8.0.18 OS:Any (FIPS)
Assigned to: CPU Architecture:Any
Tags: FIPS

[15 Nov 2019 19:56] Ryan L 
Description:
As per the release notes (https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-18.html), MySQL 8.0.18 was compiled with OpenSSL 1.1.1
	- MySQL 8.0 no longer supports building using wolfSSL. All MySQL builds now use OpenSSL.
	- MySQL Server must be compiled using OpenSSL 1.1.1 or higher
The internal structure of OpenSSL 1.1.1 is not compatible with the Current FIPS approved modules.
In previous versions recompiling the libeay.dll and ssleay.dll would allow for STRICT FIPS mode enforcement.
Now in v8.0.18 there is no path to reach FIPS compliance. If I am mistaken please provide me a path to reaching FIPS compliance.

Log Entry when starting MySQL:
2019-10-17T20:55:11.222503Z 0 [System] [MY-010116] [Server] C:\Program Files\MySQL\MySQL Server 8.0\bin\mysqld.exe (mysqld 8.0.18) starting as process 696
2019-10-17T20:55:22.016336Z 4 [System] [MY-013381] [Server] Server upgrade from '80017' to '80018' started.
2019-10-17T20:55:30.591870Z 4 [System] [MY-013381] [Server] Server upgrade from '80017' to '80018' completed.
2019-10-17T20:55:31.112372Z 0 [ERROR] [MY-011272] [Server] SSL fips mode error: error:0F06D065:common libcrypto routines:FIPS_mode_set:fips mode not supported
2019-10-17T20:55:31.114130Z 0 [ERROR] [MY-010119] [Server] Aborting

Workaround:
In the my.ini set ssl_fips_mode=STRICT to ssl_fips_mode=off

 

How to repeat:
Start the server with FIPS mode on or in strict mode.

Suggested fix:
Requests:
1. Path to FIPS compliance with MySQL 8.0.18 and future releases now that it is compiled with OpenSSL 1.1.1

Since I am unaware of any possible path outside of OpenSSL3.0 release, I suggest the following in place:

2. Update Section 6.5 FIPS Support (https://dev.mysql.com/doc/refman/8.0/en/fips-mode.html) with the warning of FIPS non-compliance until a FIPS validated OpenSSL 3.0 release is made
3. Update Section 2.11.10 Upgrading MySQL on Windows to Warn for the changes to the FIPS compatibility and the major changes to the bin directory that must be accounted for.
[18 Nov 2019 5:48] MySQL Verification Team 
Hello Ryan L,

Thank you for the report.

regards,
Umesh
[4 Feb 2020 16:58] Paul DuBois 
Posted by developer:
 
re:
"
As per the release notes
...
	- MySQL Server must be compiled using OpenSSL 1.1.1 or higher
"

That is not true, it's a partial quote of one of the GR items, which says:

"
For group communication connections, Group Replication now supports the TLSv1.3 protocol, which was supported by MySQL Server from 8.0.16. To use the TLSv1.3 protocol, MySQL Server must be compiled using OpenSSL 1.1.1 or higher.
"

In other words, OpenSSL 1.1.1 is required to use TLSv1.3. MySQL can still be compiled with 1.0.2, although then the tradeoff is that TLSv1.3 is unavailable.
[4 Feb 2020 17:20] Paul DuBois 
Posted by developer:
 
I have revised the system requirements at
https://dev.mysql.com/doc/refman/8.0/en/fips-mode.html
to indicate the tradeoffs in available MySQL features:

At build time, MySQL must be compiled using OpenSSL. FIPS mode cannot
be used in MySQL if compilation uses an SSL library different from
OpenSSL.

In addition, MySQL must be compiled with an OpenSSL version that is
compatible with FIPS. OpenSSL 1.0.2 is compatible, but OpenSSL 1.1.1
is not. Binary distributions for recent versions of MySQL are
compiled using OpenSSL 1.1.1, which means they are not
FIPS-compatible. This leads to a situation of tradeoffs in available
MySQL features, depending on system and MySQL configuration:

* Use a system that has OpenSSL 1.0.2 and the required FIPS Object Module.
  In this case, you can enable FIPS mode for MySQL if you compile MySQL
  from source to use OpenSSL 1.0.2. However, in this case, you cannot use
  the TLSv1.3 protocol or ciphersuites (which require OpenSSL 1.1.1). In
  addition, you are using an OpenSSL version that reached End of Life
  status at the end of 2019.

* Use a system that has OpenSSL 1.1.1 or higher. In this case, you can
  install MySQL using binary packages, and you can use the TLSv1.3
  protocol and ciphersuites, in addition to other already supported TLS
  protocols. However, you cannot enable FIPS mode for MySQL.
[8 Aug 2022 7:29] Jaime Sicam 
* Use a system that has OpenSSL 1.1.1 or higher. In this case, you can
  install MySQL using binary packages, and you can use the TLSv1.3
  protocol and ciphersuites, in addition to other already supported TLS
  protocols. However, you cannot enable FIPS mode for MySQL.

Regarding the bullet above, it seems you can enable ssl_fips_mode in CentOS 7/8 with RPM packages of MySQL 8.0 community even if it's using OpenSSL 1.1.1. However, you cannot enable ssl_fips_mode with the generic Linux binaries. That being said, when you said "binary packages" are you just referring to the generic Linux binaries and not the RPMs?