Failure to enable SSL out of the box when in fips mode
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
mysql-8.0 (Ubuntu) |
Confirmed
|
Undecided
|
Tobias Heider |
Bug Description
mysql-8.0 is failing to enable SSL on a fresh install if the running environment has FIPS enabled.
This can be easily reproduced in a cloud image that has fips enabled, like https:/
If you deploy that instance, then install mysql, it won't enable ssl:
2022-05-
2022-05-
2022-05-
2022-05-
2022-05-
I then create a user, to login via tcp/ip:
CREATE USER 'ubuntu'
And attempt it, but it's rejected because ssl is not used:
# mysql -uubuntu -h 127.0.0.1 -p
Enter password:
ERROR 2061 (HY000): Authentication plugin 'caching_
The fix is to tell mysql it should run in fips mode. I do that in /etc/mysql/
[mysqld]
ssl-fips-mode=on
Restart, and this time the logs are happier. There is just a warning about ssl, but it's enabled:
2022-05-
2022-05-
2022-05-
2022-05-
2022-05-
2022-05-
And we can confirm it, but only if we pass the same option to the mysql client:
# mysql -uubuntu -h 127.0.0.1 -p
Enter password:
ERROR 2026 (HY000): SSL connection error: SSL_CTX_new failed
# mysql -uubuntu -h 127.0.0.1 -p --ssl-fips-mode=on
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
...
Note the SSL bit:
mysql> \s
--------------
mysql Ver 8.0.29-
Connection id: 9
Current database:
Current user: ubuntu@localhost
SSL: Cipher in use is TLS_AES_
...
All in all, a configuration change makes this work, but the experience should be better out of the box. What can be done to improve this?
- documentation?
- have mysql detect a fips environment and auto-adjust?
- something else?
tags: | added: server-triage-discuss |
summary: |
- Failure to enable SSO out of the box when in fips mode + Failure to enable SSL out of the box when in fips mode |
Changed in mysql-8.0 (Ubuntu): | |
assignee: | nobody → Henry Coggill (henrycoggill) |
tags: | removed: server-triage-discuss |
information type: | Public → Private |
information type: | Private → Private Security |
information type: | Private Security → Public |
Changed in mysql-8.0 (Ubuntu): | |
assignee: | Henry Coggill (henrycoggill) → Tobias Heider (tobhe) |
~~Data points provided:
using an 18.04 Bionic FIPS cloud image, doing
```
apt-get update && apt-get install mysql-server mysql-client
```
successfully installs the server and client, and enables TLS properly for the FIPS environment. There may be a difference in packaging scripts between mysql-5.7 and mysql-8.0~~
No good strikethrough I know of. Sorry
there is no direct support for ssl_fips_mode in mysql-5.7. Thus it'll happily install, but not enable