0

I have a build of OpenSSL that uses the FIPS Object Module for FIPS-validated cryptography. Certain applications such as Tomcat support the use of this specialized FIPS OpenSSL. You compile against the OpenSSL crypto libraries and then set an option in some configuration file (for Tomcat this would be FIPSMode=on in server.xml).

I would like to use FIPS OpenSSL with MySQL. I know you can build MySQL to use OpenSSL, but I have found no indication that you can enable FIPS mode, either via a configuration file or some other means. Is this possible?

Some background: to use OpenSSL in FIPS mode the application must call FIPS_mode_set() and this must return non-zero. Tomcat will do this for you if you set the FIPSMode flag appropriately in server.xml. MySQL does not seem to have such a flag. Maybe there is some other means to accomplish this.

Graph Theory
  • 103
  • 3

1 Answers1

1

Can MySQL with OpenSSL run in FIPS mode?

Likely not. FIPS 140-2 does not allow use of algorithms MD5 and SHA-1 (some hand waiving, because there are explicit exemptions provided in, for example, the PRF used in TLS).

Unfortunately, some versions of MySQL still relies on SHA-1 for some internal functions like password hashing. That includes the latest version of MySQL, which is 5.7 at the time of this writing.

In the past I've seen patches which allow MySQL to meet FIPS 140-2 criteria, but they are provided by third parties. However, the application itself would still likely need a formal evaluation once it gets to the point it can actually pass the check box items from FIPS 140-2.

  • I was afraid of that. I assume there's no way to disable use of those algorithms in MySQL? Something like "instead of using SHA-1 for passwords use SHA-256?" – Graph Theory Oct 05 '17 at 15:35