Bug #97662 | MySQL v8.0.18 FIPS mode is no longer supported | ||
---|---|---|---|
Submitted: | 15 Nov 2019 19:56 | Modified: | 4 Feb 2020 17:20 |
Reporter: | Ryan L | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: Compiling | Severity: | S2 (Serious) |
Version: | 8.0.18 | OS: | Any (FIPS) |
Assigned to: | CPU Architecture: | Any | |
Tags: | FIPS |
[15 Nov 2019 19:56]
Ryan L
[18 Nov 2019 5:48]
MySQL Verification Team
Hello Ryan L, Thank you for the report. regards, Umesh
[4 Feb 2020 16:58]
Paul DuBois
Posted by developer: re: " As per the release notes ... - MySQL Server must be compiled using OpenSSL 1.1.1 or higher " That is not true, it's a partial quote of one of the GR items, which says: " For group communication connections, Group Replication now supports the TLSv1.3 protocol, which was supported by MySQL Server from 8.0.16. To use the TLSv1.3 protocol, MySQL Server must be compiled using OpenSSL 1.1.1 or higher. " In other words, OpenSSL 1.1.1 is required to use TLSv1.3. MySQL can still be compiled with 1.0.2, although then the tradeoff is that TLSv1.3 is unavailable.
[4 Feb 2020 17:20]
Paul DuBois
Posted by developer: I have revised the system requirements at https://dev.mysql.com/doc/refman/8.0/en/fips-mode.html to indicate the tradeoffs in available MySQL features: At build time, MySQL must be compiled using OpenSSL. FIPS mode cannot be used in MySQL if compilation uses an SSL library different from OpenSSL. In addition, MySQL must be compiled with an OpenSSL version that is compatible with FIPS. OpenSSL 1.0.2 is compatible, but OpenSSL 1.1.1 is not. Binary distributions for recent versions of MySQL are compiled using OpenSSL 1.1.1, which means they are not FIPS-compatible. This leads to a situation of tradeoffs in available MySQL features, depending on system and MySQL configuration: * Use a system that has OpenSSL 1.0.2 and the required FIPS Object Module. In this case, you can enable FIPS mode for MySQL if you compile MySQL from source to use OpenSSL 1.0.2. However, in this case, you cannot use the TLSv1.3 protocol or ciphersuites (which require OpenSSL 1.1.1). In addition, you are using an OpenSSL version that reached End of Life status at the end of 2019. * Use a system that has OpenSSL 1.1.1 or higher. In this case, you can install MySQL using binary packages, and you can use the TLSv1.3 protocol and ciphersuites, in addition to other already supported TLS protocols. However, you cannot enable FIPS mode for MySQL.
[8 Aug 2022 7:29]
Jaime Sicam
* Use a system that has OpenSSL 1.1.1 or higher. In this case, you can install MySQL using binary packages, and you can use the TLSv1.3 protocol and ciphersuites, in addition to other already supported TLS protocols. However, you cannot enable FIPS mode for MySQL. Regarding the bullet above, it seems you can enable ssl_fips_mode in CentOS 7/8 with RPM packages of MySQL 8.0 community even if it's using OpenSSL 1.1.1. However, you cannot enable ssl_fips_mode with the generic Linux binaries. That being said, when you said "binary packages" are you just referring to the generic Linux binaries and not the RPMs?