[Bug 1971788] Re: Failure to enable SSL out of the box when in fips mode

Seth Arnold 1971788 at bugs.launchpad.net
Wed Jun 1 00:39:07 UTC 2022 

On Mon, May 30, 2022 at 09:38:52AM -0000, Tobias Heider wrote:
> I don't think it does, but you have a point. It might be a little safer
> not to touch the function signature. Here's an updated fix.

This isn't quite as easy to read but I do like that the signature is
unchanged. I sure hope upstream takes another stab at these functions, it
feels pretty messy.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1971788

Title:
  Failure to enable SSL out of the box when in fips mode

Status in mysql-8.0 package in Ubuntu:
  Confirmed

Bug description:
  mysql-8.0 is failing to enable SSL on a fresh install if the running
  environment has FIPS enabled.

  This can be easily reproduced in a cloud image that has fips enabled,
  like https://azuremarketplace.microsoft.com/en-
  us/marketplace/apps/canonical.0001-com-ubuntu-pro-focal-fips

  If you deploy that instance, then install mysql, it won't enable ssl:

  2022-05-05T20:00:26.839411Z 0 [Warning] [MY-013595] [Server] Failed to initialize TLS for channel: mysql_main. See below for the description of exact issue.
  2022-05-05T20:00:26.839694Z 0 [Warning] [MY-010069] [Server] Failed to set up SSL because of the following SSL library error: SSL_CTX_new failed
  2022-05-05T20:00:26.886806Z 0 [Warning] [MY-011302] [Server] Plugin mysqlx reported: 'Failed at SSL configuration: "SSL_CTX_new failed"'
  2022-05-05T20:00:26.887367Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Bind-address: '127.0.0.1' port: 33060, socket: /var/run/mysqld/mysqlx.sock
  2022-05-05T20:00:26.887679Z 0 [System] [MY-010931] [Server] /usr/sbin/mysqld: ready for connections. Version: '8.0.29-0ubuntu0.20.04.3'  socket: '/var/run/mysqld/mysqld.sock'  port: 3306  (Ubuntu).

  I then create a user, to login via tcp/ip:

  CREATE USER 'ubuntu'@'localhost' IDENTIFIED BY 'secret';

  And attempt it, but it's rejected because ssl is not used:
  # mysql -uubuntu -h 127.0.0.1 -p
  Enter password: 
  ERROR 2061 (HY000): Authentication plugin 'caching_sha2_password' reported error: Authentication requires secure connection.

  
  The fix is to tell mysql it should run in fips mode. I do that in /etc/mysql/mysql.conf.d/mysqld.cnf:
  [mysqld]
  ssl-fips-mode=on

  Restart, and this time the logs are happier. There is just a warning about ssl, but it's enabled:
  2022-05-05T20:03:56.490394Z 0 [Warning] [MY-013245] [Server] The SSL library function CRYPTO_set_mem_functions failed. This is typically caused by the SSL library already being used. As a result the SSL memory allocation will not be instrumented.
  2022-05-05T20:03:56.493941Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.29-0ubuntu0.20.04.3) starting as process 6722
  2022-05-05T20:03:56.506555Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started.
  2022-05-05T20:03:56.874520Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended.
  2022-05-05T20:03:57.168472Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.
  2022-05-05T20:03:57.168769Z 0 [System] [MY-013602] [Server] Channel mysql_main configured to support TLS. Encrypted connections are now supported for this channel.

  And we can confirm it, but only if we pass the same option to the mysql client:
  # mysql -uubuntu -h 127.0.0.1 -p
  Enter password: 
  ERROR 2026 (HY000): SSL connection error: SSL_CTX_new failed

  
  # mysql -uubuntu -h 127.0.0.1 -p --ssl-fips-mode=on
  Enter password: 
  Welcome to the MySQL monitor.  Commands end with ; or \g.
  ...

  Note the SSL bit:
  mysql> \s
  --------------
  mysql  Ver 8.0.29-0ubuntu0.20.04.3 for Linux on x86_64 ((Ubuntu))

  Connection id:          9
  Current database:
  Current user:           ubuntu at localhost
  SSL:                    Cipher in use is TLS_AES_256_GCM_SHA384
  ...

  
  All in all, a configuration change makes this work, but the experience should be better out of the box. What can be done to improve this?
  - documentation?
  - have mysql detect a fips environment and auto-adjust?
  - something else?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mysql-8.0/+bug/1971788/+subscriptions

More information about the Ubuntu-sponsors mailing list