Rechercher dans le manuel MySQL
6.5 FIPS Support
MySQL supports FIPS mode, if compiled using OpenSSL, and an OpenSSL library and FIPS Object Module are available at runtime.
FIPS mode on the server side applies to cryptographic operations performed by the server. This includes replication (master/slave and Group Replication) and X Plugin, which run within the server. FIPS mode also applies to attempts by clients to connect to the server.
The following sections describe FIPS mode and how to take advantage of it within MySQL:
FIPS Overview
Federal Information Processing Standards 140-2 (FIPS 140-2) describes a security standard that can be required by Federal (US Government) agencies for cryptographic modules used to protect sensitive or valuable information. To be considered acceptable for such Federal use, a cryptographic module must be certified for FIPS 140-2. If a system intended to protect sensitive data lacks the proper FIPS 140-2 certificate, Federal agencies cannot purchase it.
Products such as OpenSSL can be used in FIPS mode, although the OpenSSL library itself is not validated for FIPS. Instead, the OpenSSL library is used with the OpenSSL FIPS Object Module to enable OpenSSL-based applications to operate in FIPS mode.
For general information about FIPS and its implementation in OpenSSL, these references may be helpful:
FIPS mode imposes conditions on cryptographic operations such as restrictions on acceptable encryption algorithms or requirements for longer key lengths. For OpenSSL, the exact FIPS behavior depends on the OpenSSL version. For details, refer to the OpenSSL FIPS User Guide.
For MySQL to support FIPS mode, these system requirements must be satisfied:
At build time, MySQL must be compiled using OpenSSL. FIPS mode cannot be used in MySQL if compilation uses a different SSL library.
At runtime, the OpenSSL library and OpenSSL FIPS Object Module must be available as shared (dynamically linked) objects. It is possible to build statically linked OpenSSL objects, but MySQL will not use them.
FIPS mode has been tested for MySQL on EL7, but may work on other systems.
If your platform or operating system provides the OpenSSL FIPS Object Module, you can use it. Otherwise, you can build the OpenSSL library and FIPS Object Module from source. Use the instructions in the OpenSSL FIPS User Guide (see FIPS Overview).
MySQL enables control of FIPS mode on the server side and the client side:
The
ssl_fips_modesystem variable controls whether the server operates in FIPS mode.The
--ssl-fips-modeclient option controls whether a given MySQL client operates in FIPS mode.
The ssl_fips_mode system
variable and --ssl-fips-mode
client option permit these values:
OFF: Disable FIPS mode.ON: Enable FIPS mode.STRICT: Enable “strict” FIPS mode.
On the server side, numeric
ssl_fips_mode values of 0, 1,
and 2 are equivalent to OFF,
ON, and STRICT,
respectivey.
In general, STRICT imposes more
restrictions than ON, but MySQL itself has
no FIPS-specific code other than to specify to OpenSSL the
FIPS mode value. The exact behavior of FIPS mode for
ON or STRICT depends on
the OpenSSL version. For details, refer to the OpenSSL FIPS
User Guide (see FIPS Overview).
If the OpenSSL FIPS Object Module is not available, the only
permitted value for
ssl_fips_mode and
--ssl-fips-mode is
OFF. An error occurs for attempts to set
the FIPS mode to a different value.
FIPS mode on the server side applies to cryptographic operations performed by the server. This includes replication (master/slave and Group Replication) and X Plugin, which run within the server.
FIPS mode also applies to attempts by clients to connect to the
server. When enabled, on either the client or server side, it
restricts which of the supported encryption ciphers can be
chosen. However, enabling FIPS mode does not require that an
encrypted connection must be used, or that user credentials must
be encrypted. For example, if FIPS mode is enabled, stronger
cryptographic algorithms are required. In particular, MD5 is
restricted, so trying to establish an encrypted connection using
an encryption cipher such as RC4-MD5 does not
work. But there is nothing about FIPS mode that prevents
establishing an unencrypted connection. (To do that, you can use
the REQUIRE clause for
CREATE USER or
ALTER USER for specific user
accounts, or set the
require_secure_transport system
variable to affect all accounts.)
Nederlandse vertaling
U hebt gevraagd om deze site in het Nederlands te bezoeken. Voor nu wordt alleen de interface vertaald, maar nog niet alle inhoud.Als je me wilt helpen met vertalingen, is je bijdrage welkom. Het enige dat u hoeft te doen, is u op de site registreren en mij een bericht sturen waarin u wordt gevraagd om u toe te voegen aan de groep vertalers, zodat u de gewenste pagina's kunt vertalen. Een link onderaan elke vertaalde pagina geeft aan dat u de vertaler bent en heeft een link naar uw profiel.
Bij voorbaat dank.
Document heeft de 26/06/2006 gemaakt, de laatste keer de 26/10/2018 gewijzigd
Bron van het afgedrukte document:https://www.gaudry.be/nl/mysql-rf-fips-mode.html
De infobrol is een persoonlijke site waarvan de inhoud uitsluitend mijn verantwoordelijkheid is. De tekst is beschikbaar onder CreativeCommons-licentie (BY-NC-SA). Meer info op de gebruiksvoorwaarden en de auteur.
Referenties
Deze verwijzingen en links verwijzen naar documenten die geraadpleegd zijn tijdens het schrijven van deze pagina, of die aanvullende informatie kunnen geven, maar de auteurs van deze bronnen kunnen niet verantwoordelijk worden gehouden voor de inhoud van deze pagina.
De auteur Deze site is als enige verantwoordelijk voor de manier waarop de verschillende concepten, en de vrijheden die met de referentiewerken worden genomen, hier worden gepresenteerd. Vergeet niet dat u meerdere broninformatie moet doorgeven om het risico op fouten te verkleinen.
