[Maria-discuss] mariadb + FIPS
Hi All, I have searched the archives and forums and cannot find an answer to this question. Does mariadb support FIPS, and if so, how or where is a document about this. I use mariadb 10.3.17 with OpenSSL 1.0.2 with FIPS enabled, all built from source. In FIPS mode, SHA1 is disallowed by openssl, as required by FIPS. However, when I search the mariadb code, SHA1 is used in many places. How can I update mariadb to use sha256, without a ton of recoding? Any tips appreciated. --Capt
Am 30.08.19 um 00:10 schrieb Captain Wiggum:
I have searched the archives and forums and cannot find an answer to this question. Does mariadb support FIPS, and if so, how or where is a document about this. I use mariadb 10.3.17 with OpenSSL 1.0.2 with FIPS enabled, all built from source. In FIPS mode, SHA1 is disallowed by openssl, as required by FIPS. However, when I search the mariadb code, SHA1 is used in many places. How can I update mariadb to use sha256, without a ton of recoding? Any tips appreciated.
outside of encryption code nothing is wrong with SHA1 depending on the usecase and without context "SHA1 is used in many place" is a useless statement there are even usecases where MD4 is just fine againb: not every usage of a hash function is security related or collisions prone and in that case it would be pretty dumb use a much slower sha256 hash
Thanks Harald for your reply. I do not disagree with anything you said. Unfortunately we cannot tell the US Govt that their requirements are stupid. When openssl is in FIPS mode, md5 & sha1 are disabled for everyone. So any usage from mariadb (linked with openssl) will fail. On Thu, Aug 29, 2019 at 4:33 PM Reindl Harald <h.reindl@thelounge.net> wrote:
I have searched the archives and forums and cannot find an answer to this question. Does mariadb support FIPS, and if so, how or where is a document about
Am 30.08.19 um 00:10 schrieb Captain Wiggum: this.
I use mariadb 10.3.17 with OpenSSL 1.0.2 with FIPS enabled, all built from source. In FIPS mode, SHA1 is disallowed by openssl, as required by FIPS. However, when I search the mariadb code, SHA1 is used in many places. How can I update mariadb to use sha256, without a ton of recoding? Any tips appreciated.
outside of encryption code nothing is wrong with SHA1 depending on the usecase and without context "SHA1 is used in many place" is a useless statement
there are even usecases where MD4 is just fine
againb: not every usage of a hash function is security related or collisions prone and in that case it would be pretty dumb use a much slower sha256 hash
_______________________________________________ Mailing list: https://launchpad.net/~maria-discuss Post to : maria-discuss@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-discuss More help : https://help.launchpad.net/ListHelp
Am 02.09.19 um 20:22 schrieb Captain Wiggum:
Thanks Harald for your reply. I do not disagree with anything you said. Unfortunately we cannot tell the US Govt that their requirements are stupid. When openssl is in FIPS mode, md5 & sha1 are disabled for everyone. So any usage from mariadb (linked with openssl) will fail.
yeah, but not every usage of a hash function is related to openssl
On Thu, Aug 29, 2019 at 4:33 PM Reindl Harald <h.reindl@thelounge.net <mailto:h.reindl@thelounge.net>> wrote:
Am 30.08.19 um 00:10 schrieb Captain Wiggum: > I have searched the archives and forums and cannot find an answer to > this question. > Does mariadb support FIPS, and if so, how or where is a document about this. > I use mariadb 10.3.17 with OpenSSL 1.0.2 with FIPS enabled, all built > from source. > In FIPS mode, SHA1 is disallowed by openssl, as required by FIPS. > However, when I search the mariadb code, SHA1 is used in many places. > How can I update mariadb to use sha256, without a ton of recoding? > Any tips appreciated.
outside of encryption code nothing is wrong with SHA1 depending on the usecase and without context "SHA1 is used in many place" is a useless statement
there are even usecases where MD4 is just fine
againb: not every usage of a hash function is security related or collisions prone and in that case it would be pretty dumb use a much slower sha256 hash
There is some FIPS documentation at: https://mariadb.com/kb/en/library/tls-and-cryptography-libraries-used-by-mar... On 2019/08/30 00:10, Captain Wiggum wrote:
Hi All,
I have searched the archives and forums and cannot find an answer to this question. Does mariadb support FIPS, and if so, how or where is a document about this. I use mariadb 10.3.17 with OpenSSL 1.0.2 with FIPS enabled, all built from source. In FIPS mode, SHA1 is disallowed by openssl, as required by FIPS. However, when I search the mariadb code, SHA1 is used in many places. How can I update mariadb to use sha256, without a ton of recoding? Any tips appreciated.
--Capt
Hi, Captain! On Aug 29, Captain Wiggum wrote:
Hi All,
I have searched the archives and forums and cannot find an answer to this question. Does mariadb support FIPS, and if so, how or where is a document about this.
Yes, it does. The link was earlier in the thread.
I use mariadb 10.3.17 with OpenSSL 1.0.2 with FIPS enabled, all built from source.
The fact that it works means that MariaDB supports FIPS, right? :)
In FIPS mode, SHA1 is disallowed by openssl, as required by FIPS. However, when I search the mariadb code, SHA1 is used in many places.
FIPS doesn't disallow SHA1. As far as I understand, it only doesn't allow to use SHA1 for digital signatures. And MariaDB doesn't do that.
How can I update mariadb to use sha256, without a ton of recoding?
you cannot. if you don't want to use SHA1, use a different authentication plugin, for example, ed25519 or PAM. Regards, Sergei VP of MariaDB Server Engineering and security@mariadb.org
participants (4)
-
Captain Wiggum -
Ian Gilfillan -
Reindl Harald -
Sergei Golubchik