maria-discuss team mailing list archive

Thread
Date

Re: mariadb + FIPS

To: Captain Wiggum <captwiggum@xxxxxxxxx>
From: Sergei Golubchik <serg@xxxxxxxxxxx>
Date: Mon, 2 Sep 2019 22:43:31 +0200
Cc: maria-discuss@xxxxxxxxxxxxxxxxxxx
In-reply-to: <CAB=W+omMSV_2gpCEWQnZSxG8WXADi01iX8V2cP5XDtEe=20JHw@mail.gmail.com>
User-agent: Mutt/1.10.1 (2018-07-13)

Hi, Captain!

On Aug 29, Captain Wiggum wrote:
> Hi All,
> 
> I have searched the archives and forums and cannot find an answer to
> this question.
> Does mariadb support FIPS, and if so, how or where is a document about
> this.

Yes, it does. The link was earlier in the thread.

> I use mariadb 10.3.17 with OpenSSL 1.0.2 with FIPS enabled, all
> built from source.

The fact that it works means that MariaDB supports FIPS, right? :)

> In FIPS mode, SHA1 is disallowed by openssl, as required by FIPS.
> However, when I search the mariadb code, SHA1 is used in many places.

FIPS doesn't disallow SHA1.

As far as I understand, it only doesn't allow to use SHA1 for
digital signatures. And MariaDB doesn't do that.

> How can I update mariadb to use sha256, without a ton of recoding?

you cannot. if you don't want to use SHA1, use a different
authentication plugin, for example, ed25519 or PAM.

Regards,
Sergei
VP of MariaDB Server Engineering
and security@xxxxxxxxxxx

References

mariadb + FIPS
From: Captain Wiggum, 2019-08-29