Public bug reported: mysql-8.0 is failing to enable SSL on a fresh install if the running environment has FIPS enabled.
This can be easily reproduced in a cloud image that has fips enabled, like https://azuremarketplace.microsoft.com/en- us/marketplace/apps/canonical.0001-com-ubuntu-pro-focal-fips If you deploy that instance, then install mysql, it won't enable ssl: 2022-05-05T20:00:26.839411Z 0 [Warning] [MY-013595] [Server] Failed to initialize TLS for channel: mysql_main. See below for the description of exact issue. 2022-05-05T20:00:26.839694Z 0 [Warning] [MY-010069] [Server] Failed to set up SSL because of the following SSL library error: SSL_CTX_new failed 2022-05-05T20:00:26.886806Z 0 [Warning] [MY-011302] [Server] Plugin mysqlx reported: 'Failed at SSL configuration: "SSL_CTX_new failed"' 2022-05-05T20:00:26.887367Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Bind-address: '127.0.0.1' port: 33060, socket: /var/run/mysqld/mysqlx.sock 2022-05-05T20:00:26.887679Z 0 [System] [MY-010931] [Server] /usr/sbin/mysqld: ready for connections. Version: '8.0.29-0ubuntu0.20.04.3' socket: '/var/run/mysqld/mysqld.sock' port: 3306 (Ubuntu). I then create a user, to login via tcp/ip: CREATE USER 'ubuntu'@'localhost' IDENTIFIED BY 'secret'; And attempt it, but it's rejected because ssl is not used: # mysql -uubuntu -h 127.0.0.1 -p Enter password: ERROR 2061 (HY000): Authentication plugin 'caching_sha2_password' reported error: Authentication requires secure connection. The fix is to tell mysql it should run in fips mode. I do that in /etc/mysql/mysql.conf.d/mysqld.cnf: [mysqld] ssl-fips-mode=on Restart, and this time the logs are happier. There is just a warning about ssl, but it's enabled: 2022-05-05T20:03:56.490394Z 0 [Warning] [MY-013245] [Server] The SSL library function CRYPTO_set_mem_functions failed. This is typically caused by the SSL library already being used. As a result the SSL memory allocation will not be instrumented. 2022-05-05T20:03:56.493941Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.29-0ubuntu0.20.04.3) starting as process 6722 2022-05-05T20:03:56.506555Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started. 2022-05-05T20:03:56.874520Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended. 2022-05-05T20:03:57.168472Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed. 2022-05-05T20:03:57.168769Z 0 [System] [MY-013602] [Server] Channel mysql_main configured to support TLS. Encrypted connections are now supported for this channel. And we can confirm it, but only if we pass the same option to the mysql client: # mysql -uubuntu -h 127.0.0.1 -p Enter password: ERROR 2026 (HY000): SSL connection error: SSL_CTX_new failed # mysql -uubuntu -h 127.0.0.1 -p --ssl-fips-mode=on Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. ... Note the SSL bit: mysql> \s -------------- mysql Ver 8.0.29-0ubuntu0.20.04.3 for Linux on x86_64 ((Ubuntu)) Connection id: 9 Current database: Current user: ubuntu@localhost SSL: Cipher in use is TLS_AES_256_GCM_SHA384 ... All in all, a configuration change makes this work, but the experience should be better out of the box. What can be done to improve this? - documentation? - have mysql detect a fips environment and auto-adjust? - something else? ** Affects: mysql-8.0 (Ubuntu) Importance: Undecided Status: New ** Tags: server-triage-discuss ** Tags added: server-triage-discuss ** Summary changed: - Failure to enable SSO out of the box when in fips mode + Failure to enable SSL out of the box when in fips mode -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1971788 Title: Failure to enable SSL out of the box when in fips mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-8.0/+bug/1971788/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
