Many products use OpenSSL, but for the most part, without choosing to incorporate the OpenSSL FIPS (US Federal Information Processing Standards) module. However it may be that running OpenSSL and using FIPs mode is something you should seriously consider and implement.
Background
OpenSSL library is mostly used and popular TLS/SSL library. OpenSSL, an open source project, is readily available, and anyone can download and modified the source code. However because this code is made available, it also adds a critical security concern. How do you ensure that someone does not have a “bad” OpenSSL library? For example, what if the library was intentionally modified to “sniff” packets. These kind of non-desired changes can put product security at risk. Many products by design do not include the OpenSSL library in their distribution, but instead use the operating systems installed library. Thus its incumbent upon an organization to ensure the OpenSSL library is good no matter which way its put into use – where from OS or Software installation.
Going on step further, consider that the OpenSSL library provides a comprehensive set of symmetric encryption, asymmetric encryption and hashing algorithms. Many of these algorithms are older and are no longer considered secure (such as MD5 and SHA1), but remain for backward compatibility. As such, products using OpenSSL library for security can unintentionally use these less secure algorithms and put sensitive data on risk. Thus it can be the case that either products can always claim they are using strong algorithms and don’t or that they are urging pristine OpenSSL libraries, but by what means can you verify this. That is where the FIPs compliance comes into play.
Two Challenges:
- How to ensure OpenSSL code is not modified/ tempered/ compromised? And it is authentic OpenSSL library.
- How to ensure product uses FIPS 140-2 (Federal Information Processing Standards) approved encryption algorithms only?
The OpenSSL library is validated for The Federal Information Processing Standard 140-2 (FIPS 140-2) to ensure end users receive a high degree of security, assurance, and dependability. But again, how to assure that is what is being used. Thus, to address these concerns OpenSSL team provides 2 things –
- Linking to a FIPS capable OpenSSL library
- Support for the OpenSSL FIPS Object Module.
MySQL 8.0, OpenSSL, and FIPS
MySQL server, MySQL client, replication channel, group replication and X protocol supports OpenSSL FIPS mode ON. When user sets FIPS mode ON in MySQL server/client, it will check the integrity/ authenticity of OpenSSL library. When MySQL server/client is in FIPS mode ON, any non FIPS compliance OpenSSL API’s call will result into error.
MySQL supports FIPS mode only when OpenSSL library is used as dynamic library
The OpenSSL library and OpenSSL FIPS object module must be installed at the operating system level. Many OSes (e.g. EL7) come pre-installed with both the OpenSSL library and OpenSSL FIPS object module. If the OS installed FIPS object module is not available then user can alternatively download the OpenSSL FIPS object module code and build it.
Scope of OpenSSL FIPS mode spans all server components – meaning if we set FIPS mode ON in the mysqld process, FIPS mode ON is apply across all the plug-ins inside mysqld .
replication channels, slave, group replication plug-in and x server require no separate SSL FIPS mode as they run inside the mysqld process.
HOW TOs for running OpenSSL in FIPs mode
Check if OS has FIPS enabled OpenSSL library and FIPS object module, please run following command from OS command line:
openssl md5 test
If the OS has it – you get something like:
[ysahu@loki01]~: openssl md5 test
Error setting digest md5
140129179674512:error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips:digest.c:256:
If OS doesn’t have it – you will see something like:
[ysahu@vilma95]~: openssl md5 test
FIPS mode not supported.
Or
Desired MD5 digest value.
If you need to add OpenSSL FIPs mode
Steps to build OpenSSL FIPS object module and OpenSSL library
- Download openssl-fips-* from OpenSSL website.
- Next build OpenSSL FIPS object module for OS, without any changes in build steps nor changes to the source code.
./config no-asm
make
make install - Installed location of OpenSSL FIPS object module cannot be changed. Files can be copied manually to other locations.
- Download openssl-1.* from OpenSSL website
- Build OpenSSL library without any changes in the code, using following commands:
export CFLAGS=-fPIC
./config fips –prefix=/path_installed/openssl_ins no-asmshared
make depend
make
make install
Caution: Please check if OpenSSL with FIPS object module is properly build / installed before setting FIPs mode ON in MySQL server/client. MySQL server will exit with error if FIPS enabled OpenSSL library is not installed and FIPS mode set to ON.
- Configure MySQL server/client to use FIPS mode:
Default MySQL server SSL FIPS mode is OFF (0). We need to start the MySQL server with FIPS mode ON
./runtime_output_directory/mysqld –socket=pwd
/yash.sock –port=7777 –datadir=/work/ysahu/trunk/data –basedir=/work/ysahu/trunk/ –ssl-fips-mode=1 –console
- Start MySQL client with FIPS mode ON
./runtime_output_directory/mysql -uroot –socket=pwd
/yash.sock –port=7777 –ssl-fips-mode=ON - Check if FIPS mode is successfully working in MySQL
MD5 is restricted hashing algorithm as par FIPS standard. MySQL server will give warning message for the same.
mysql> select md5(8);show warnings;
+———————————-+
| md5(8) |
+———————————-+
| 00000000000000000000000000000000 |
+———————————-+
1 row in set, 1 warning (0.00 sec)+———+——-+———————————————–+
| Level | Code | Message |
+———+——-+———————————————–+
| Warning | 11272 | SSL fips mode error: FIPS mode ON/STRICT: MD5 digest is not supported. |
+———+——-+———————————————-+
1 row in set (0.00 sec)
Now we can be sure that MySQL is using authentic OpenSSL library code. When FIPS mode is ON, MySQL server/client will only use the secure FIPS approved algorithms.
Be secure, be happy.
Thank you for using MySQL !