Hi Team,
As per the latest release note of https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-34.html, the ssl_fips_mode server system variable, --ssl-fips-mode client option, and the MYSQL_OPT_SSL_FIPS_MODE option now are deprecated and subject to removal in a future version of MySQL
So how can one enable FIPS starting 8.0.34 version of MySQL. Can someone share more details pr documents as its difficult to follow from the documentation.
Thank you in advance 
Hello @Manjunath_Batakurki,
The release notes you linked explain how to do this:
Alternatively, it is possible to handle FIPS mode directly through OpenSSL configuration files rather than using the current server-side system variable and client-side options. When MySQL is compiled using OpenSSL 3.0, and an OpenSSL library and FIPS Object Module are available at runtime, the server reads the OpenSSL configuration file and respects the preference to use a FIPS provider, if one is set. OpenSSL 3.0 is certified for use with FIPS.
Further, this blog post may be of help:
https://dev.mysql.com/blog-archive/openssl-fips-support-in-mysql-8-0/
Thank you for the details. Really appreciate your response. I could verify the same and see that the md5 in SQL throws error as its using openssl 3.X. To add more, when deploying the Percona Xtra DB Cluster pods, the base image like percona:8.0.35-27 that the pxc uses does not seems to be FIPS complaint. is it not supposed to be FIPS complaint as well ? I have raised the same question here as well FIPS enabled version of pxc-db for mysql
As per MySQL 8.0.35, the ssl_fips_mode is depreciated. So we assume that MySQL does enable it explicity. Not setting it explicitly(even though it is depreciated) does behave like this.
mysql> show variables like “%fips%”;
±--------------±------+
| Variable_name | Value |
±--------------±------+
| ssl_fips_mode | OFF |
±--------------±------+
1 row in set (0.00 sec)
mysql> select md5(8);show warnings;
±---------------------------------+
| md5(8) |
±---------------------------------+
| 00000000000000000000000000000000 |
±---------------------------------+
1 row in set (0.15 sec)
Empty set (0.02 sec)
mysql>
mysql> set global ssl_fips_mode=1;
ERROR 1238 (HY000): Variable ‘ssl_fips_mode’ is a read only variable
md5 is unsupported in FIPS mode and should not work.
the underlying OS has right FIPS and does not work.
root@cmp-db6:/home/vmaas# openssl md5 test
Error setting digest
808B6D108C7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:…/crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (MD5 : 101), Properties ()
808B6D108C7F0000:error:03000086:digital envelope routines:evp_md_init_internal:initialization error:…/crypto/evp/digest.c:254:
does this mean even in 8.0.35, ssl_fips_mode has to set explicitly to enable FIPS mode (it is possible to set before starting mysql using my.cnf) ?
It would appear so, until the variable is removed. Yes, set this in my.cnf.
Unanswered | Unsolved | Solved
MySQL, InnoDB, MariaDB and MongoDB are trademarks of their respective owners.
Copyright © 2006 - 2021 Percona LLC. All rights reserved.