The client-side error fires when MySQL cannot switch OpenSSL into the requested FIPS mode.
MySQL Error 2064: CR_SSL_FIPS_MODE_ERR appears when MySQL or its client cannot switch OpenSSL into FIPS mode. Check that you are running a FIPS-enabled OpenSSL build or change ssl_fips_mode to OFF in my.cnf, then restart MySQL to clear the error.
Set FIPS mode ON/STRICT failed CR_SSL_FIPS_MODE_ERR was added in 8.0.11.
MySQL 8.0.11 introduced the ssl_fips_mode system variable. When the server or client tries to set this variable to ON or STRICT, the SSL library must support Federal Information Processing Standards (FIPS) mode. If OpenSSL cannot enter that mode, MySQL emits Error 2064 with the condition name CR_SSL_FIPS_MODE_ERR.
The error is client-side, so it appears immediately after the SET command or during startup when ssl_fips_mode is read from my.cnf.
Connections that require FIPS compliance will fail until the mismatch is resolved.
OpenSSL must be compiled with FIPS Object Module and initialized correctly. Attempting to enable FIPS mode on a non-FIPS build triggers the error.
Mismatched OpenSSL versions between client and server, incorrect library paths, or operating systems without FIPS support also cause the failure.
Configuration files that force ssl_fips_mode=ON or STRICT on startup can expose the issue right after an upgrade, because pre-8.0.11 instances ignored the unsupported variable while newer builds enforce it.
First confirm whether your deployment truly needs FIPS compliance. If not, set ssl_fips_mode=OFF at runtime or in my.cnf and restart the server.
When compliance is required, install or build MySQL against a FIPS-capable OpenSSL and confirm that libcrypto can switch to FIPS mode before launching MySQL.
On Linux distributions that ship both normal and FIPS libraries, verify LD_LIBRARY_PATH points to the FIPS versions and that the openssl binary reports FIPS mode enabled.
After correcting libraries, MySQL can successfully switch to ON or STRICT.
After upgrading to MySQL 8.0.35, startup fails with Error 2064 because my.cnf inherited ssl_fips_mode=ON from an earlier test. Removing the line or changing it to OFF lets the server start normally.
Containerized deployments that copy OpenSSL libs from the host sometimes exclude the FIPS module.
Rebuild the image with openssl-fips packages or mount the correct libraries and the error disappears.
Keep operating system packages and MySQL binaries in sync so they share the same OpenSSL build configuration. Automate pre-flight checks that run openssl version -fips and abort deployment when FIPS support is missing.
Store ssl_fips_mode in an environment-specific include file rather than the primary my.cnf, allowing staging environments to run OFF and production to run ON.
Galaxy users can version-control these config snippets alongside queries for full traceability.
CR_SSL_CONNECTION_ERR indicates a general TLS handshake failure, usually from certificate problems, not FIPS mode. CR_SSL_CONNECTION_LOST occurs when the handshake succeeds but the encrypted channel breaks later. Both errors can appear together if FIPS mode forces stricter cipher suites.
CR_SSL_INVALID_PURPOSE_ERR is thrown when the certificate’s Extended Key Usage does not match the authentication role requested.
Fix by generating certificates with correct EKU or disabling client certificate checks.
.
The linked OpenSSL library lacks the FIPS Object Module, so any attempt to enable FIPS mode fails immediately.
The MySQL client uses a non-FIPS OpenSSL while the server expects FIPS capability, or vice versa.
LD_LIBRARY_PATH or PATH points to older OpenSSL binaries that cannot enter FIPS mode even if newer libraries exist.
my.cnf or my.ini sets ssl_fips_mode=ON or STRICT without confirming the underlying libraries support FIPS.
.
No. The default value of ssl_fips_mode is OFF. You only need ON or STRICT when regulatory policies demand it.
Yes. Users with SUPER or SYSTEM_VARIABLES_ADMIN privilege can run SET GLOBAL ssl_fips_mode = OFF|ON|STRICT without restarting.
No. Replication works as long as both master and replica agree on SSL requirements. Set the same ssl_fips_mode on all nodes.
Galaxy surfaces MySQL error messages instantly in its editor and lets you run remedial SET commands, version-control config snippets, and share fixes with your team.
.avif)
.avif){kind=logo}
