← Back to team overview

maria-discuss team mailing list archive

Re: mariadb + FIPS

 

Thanks Harald for your reply. I do not disagree with anything you said.
Unfortunately we cannot tell the US Govt that their requirements are stupid.
When openssl is in FIPS mode, md5 & sha1 are disabled for everyone.
So any usage from mariadb (linked with openssl) will fail.


On Thu, Aug 29, 2019 at 4:33 PM Reindl Harald <h.reindl@xxxxxxxxxxxxx>
wrote:

>
>
> Am 30.08.19 um 00:10 schrieb Captain Wiggum:
> > I have searched the archives and forums and cannot find an answer to
> > this question.
> > Does mariadb support FIPS, and if so, how or where is a document about
> this.
> > I use mariadb 10.3.17 with OpenSSL 1.0.2 with FIPS enabled, all built
> > from source.
> > In FIPS mode, SHA1 is disallowed by openssl, as required by FIPS.
> > However, when I search the mariadb code, SHA1 is used in many places.
> > How can I update mariadb to use sha256, without a ton of recoding?
> > Any tips appreciated.
>
> outside of encryption code nothing is wrong with SHA1 depending on the
> usecase and without context "SHA1 is used in many place" is a useless
> statement
>
> there are even usecases where MD4 is just fine
>
> againb: not every usage of a hash function is security related or
> collisions prone and in that case it would be pretty dumb use a much
> slower sha256 hash
>
> _______________________________________________
> Mailing list: https://launchpad.net/~maria-discuss
> Post to     : maria-discuss@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~maria-discuss
> More help   : https://help.launchpad.net/ListHelp
>

Follow ups

References