Introduction
FIPS compliance is crucial for numerous MySQL deployments, especially within government agencies and organizations subject to regulatory mandates. The alignment of FIPS 140-3 with ISO/IEC 19790 broadens the applicability of these requirements.
This blog clarifies the relationship between FIPS, OpenSSL, and MySQL, explaining:
- What is FIPS?
- What is OpenSSL and how MySQL uses OpenSSL?
- Version Specific OpenSSL / FIPS Details
- How to determine the level of FIPs compliance based on the Operating System version and MySQL version
- What is FIPS mode?
- MySQL Packages and FIPS
- Additional important details
FIPS (Federal Information Processing Standards) are a set of standards and guidelines issued by the U.S. National Institute of Standards and Technology (NIST) for use in federal computer systems.
FIPS covers:
- Cryptographic algorithms
- Computer security
- Network protocols
- Information technology management
FIPS 140
- FIPS 140 defines security requirements for cryptographic modules.
- The software components responsible for cryptographic functions in MySQL utilize the OpenSSL library.
Historic Summary – FIPS 140 Versions and ISO/IEC 19790
| Feature/Attribute | FIPS 140-2 | FIPS 140-3 | ISO/IEC 19790 |
|---|---|---|---|
| Release Year | 2001 | 2019 | 2012 |
| Status | Phasing Out | Current NIST Standard | International Standard |
| Security Levels (levels with increasing strictness) | 1-4 | 1-5 | 1-5 (Similar to FIPS 140-3) |
| Key Focus | General cryptographic module security | Enhanced security over 140-2 – software focus, side-channel protections. | Cryptographic module security |
| International Alignment | N/A | Aligns with ISO/IEC 19790 | International standard, aligns with FIPS 140-3 |
| Additional Details | Being replaced by 140-3 | Gradually replacing 140-2 | Often used with or as alternative to FIPS 140-3 |
What is OpenSSL and how MySQL uses OpenSSL?
OpenSSL is a widely used toolkit and includes cryptographic libraries. MySQL uses OpenSSL in the MySQL Server and any C/C++ executable and library for cryptography such as:
- Network Encryption – TLS (Transport Layer Security – ensures secure network communication)
- Encryption and decryption of data
- Generation and usage of cryptographic keys
- Creation and verification of digital certificates
- Hashing algorithms
OpenSSL 1.0.2 and FIPS:
- OpenSSL 1.0.2 has a FIPS Object Module used in FIPS 140-2 validation.
- The challenge with 1.0.2 is that it does NOT meet the requirements of FIPS 140-3. It is crucial to use a supported version of OpenSSL.
OpenSSL 1.1.1 and FIPS:
- OpenSSL 1.1.1 (and later versions) do not have a “FIPS object module.”
- This is because the concept of a FIPS object module is specific to the older FIPS 140-2 standard.
- FIPS 140-3, the current standard, changed how cryptographic modules are validated. Instead of object modules, FIPS 140-3 uses the concept of “FIPS providers,” which were introduced in OpenSSL 3.0.
OpenSSL 3.0 and FIPS:
- OpenSSL 3.0 introduces a significant change in how it handles FIPS compliance with the introduction of the FIPS provider. This new provider is key to understanding how OpenSSL 3.0 aligns with the FIPS 140-3 standard.
- In OpenSSL 3.0 no longer implements the “FIPS object module” concept used in older versions and FIPS 140-2. Instead, it uses a “FIPS provider.” This is a separate module containing only the cryptographic algorithms and functions that have been approved for use in FIPS mode.
- The new 3.0 FIPS provider in OpenSSL 3.0 supports this new FIP 140-3 methodology, offering a more secure and flexible method for achieving FIPS compliance.
For more details on the transition from FIPS 140-2 to FIPS 140-3 see FIPS 140-3 Transition Effort
How to determine the level of FIPs compliance based on the Operating System version and MySQL version
MySQL links to the OpenSSL library using 2 different methods depending on the Operating System.
- Linux operating systems that include OpenSSL
- MySQL dynamically links to the OpenSSL library
- The version of OpenSSL will depend on the Linux OS and version.
- Run the command line > openssl version -v
- If the -v returned version 3 you can find the location of the config file using the command line > openssl version -d
- The config file is the directory path output by the command. The configurations file in that directory is named openssl.cnf
- MySQL dynamically links to the OpenSSL library
- Generic Linux, Windows, or MacOS
- OpenSSL is included with the MySQL binaries and libraries..
- This OpenSSL library does not inherit FIPS certified from the operating system.
- If FIPS certified is required – these MySQL packages are not an option as they are not certified by NIST – and you will be out of compliance.
What is FIPS mode?
FIPS mode is a security configuration that adheres to the Federal Information Processing Standard (FIPS) Publication 140-2 or 140-3.
When an operating system is in FIPS mode, it is restricted to using only cryptographic algorithms and protocols that meet the FIPS 140-2 or 140-3 standard. This ensures a higher level of security for sensitive data.
MySQL Packages and FIPS
MySQL Server installation packages that dynamically link to OpenSSL are
- RPMS
- DEBS
These installations inherit the FIPS Mode from the OS.
MySQL Windows, MacOS and Generic Linux Packages include the OpenSSL Library with the distribution
- These packages do not support FIPS mode.
For example calls to the MD5() throw and error and return NULL with FIPS mode is enabled.
As shown in this table – the operating system and the OpenSSL version it provides is used to determine the level of FIPS 140 compliance and includes the verification certificate number from NIST.
|
|---|
Additional Important details
- Older versions of MySQL on older Linux’s.
- MySQL 8.0.34 and earlier: Control of FIPS mode on the server side and the client side was accomplished using the system variables ssl_fips_mode system variable which controlled whether the server operates in FIPS mode.
- If running OpenSSL 1.1.1 which did not have FIPS mode – ssl_fips_mode will always show OFF.
- When in fact the Linux Operating Systems OpenSSL FIPS mode might in fact be ON
- Thus, MySQL would not be able call non-FIPS encryption on such a system – as FIPS mode is enabled.
- If running OpenSSL 3.0+ and FIPS 3.0
- OpenSSL Configuration
- FIPS mode is configured via the OpenSSL 3.0 configuration to explicitly load the FIPS 3.0 PROVIDER (It’s not a FIPS Object like 1.0.2)
- https://docs.openssl.org/3.0/man7/fips_module/
- Via the OS – for example for Oracle Linux 9 see Configuring FIPS Mode
- Check the FIPS mode >sudo fips-mode-setup –check
- Enable FIPS mode sudo fips-mode-setup –-enable
- Then REBOOT
- For containers and other environments – reference specific FIPS mode documentation
- OpenSSL Configuration
Conclusion
For a secure and compliant MySQL deployment, you must understand the relationship between FIPS, OpenSSL, and MySQL. This includes FIPS standards, OpenSSL’s cryptographic role, and version-specific compliance details. You need to know how to determine compliance levels based on OS and MySQL versions, understand FIPS mode, and assess MySQL package support. Critically, you must understand OpenSSL versions and the shift to FIPS 140-3 and OpenSSL 3.0’s FIPS provider. This is particularly crucial for organizations in regulated industries, enabling informed FIPS compliance strategies and ensuring data security. Staying current with FIPS standards and OpenSSL versions is essential.
As always, thank you for using MySQL!
References
- Oracle FIPS Certifications
- Oracles FIPS Overview – Federal Information Processing Standard (FIPS) 140
- MySQL FIPS Support