Am 30.08.19 um 00:10 schrieb Captain Wiggum:

I have searched the archives and forums and cannot find an answer to this question. Does mariadb support FIPS, and if so, how or where is a document about this. I use mariadb 10.3.17 with OpenSSL 1.0.2 with FIPS enabled, all built from source. In FIPS mode, SHA1 is disallowed by openssl, as required by FIPS. However, when I search the mariadb code, SHA1 is used in many places. How can I update mariadb to use sha256, without a ton of recoding? Any tips appreciated.

outside of encryption code nothing is wrong with SHA1 depending on the usecase and without context "SHA1 is used in many place" is a useless statement there are even usecases where MD4 is just fine againb: not every usage of a hash function is security related or collisions prone and in that case it would be pretty dumb use a much slower sha256 hash

Hi, Captain! On Aug 29, Captain Wiggum wrote:

Hi All,

I have searched the archives and forums and cannot find an answer to this question. Does mariadb support FIPS, and if so, how or where is a document about this.

Yes, it does. The link was earlier in the thread.

I use mariadb 10.3.17 with OpenSSL 1.0.2 with FIPS enabled, all built from source.

The fact that it works means that MariaDB supports FIPS, right? :)

In FIPS mode, SHA1 is disallowed by openssl, as required by FIPS. However, when I search the mariadb code, SHA1 is used in many places.

FIPS doesn't disallow SHA1. As far as I understand, it only doesn't allow to use SHA1 for digital signatures. And MariaDB doesn't do that.

How can I update mariadb to use sha256, without a ton of recoding?

you cannot. if you don't want to use SHA1, use a different authentication plugin, for example, ed25519 or PAM. Regards, Sergei VP of MariaDB Server Engineering and security@mariadb.org