Bug Report

1. What did you do?

Run sync-diff-inspector on TiDB cluster running v8.5.4 with FIPS enabled.

2. What did you expect to see?

sync-diff-inspector succeeds.

3. What did you see instead?

sync-diff-inspector fails with:

Error 1105 (HY000): [components/tidb_query_expr/src/impl_encryption.rs:167]:
OpenSSL error: ErrorStack([Error {
    code: 50856204,
    library: "digital envelope routines",
    function: "inner_evp_generic_fetch",
    reason: "unsupported"

Preliminary RCA:

TiDB FIPS build mode was introduced in 7.6.0: Pull Request #47949: Makefile,cmd/tidb-server: add tidb-server FIPS build target.

sync-diff-inspector relies on MD5() for chunk checksumming. TiDB may push expression evaluation down to TiKV coprocessor, which uses OpenSSL for cryptographic functions (tidb_query_expr).
In FIPS configuration, MD5 is disabled in the OpenSSL library used by TiKV. Therefore, when TiKV's OpenSSL inner_evp_generic_fetch() tries to load the MD5 algorithm, it fails with error code 50856204 (EVP_R_UNSUPPORTED).

As a result, sync-diff-inspector fails because TiDB rejects all MD5-based checksum queries due to OpenSSL security policy restrictions.

4. What version of TiDB are you using?

v8.5.4 with ENABLE_FIPS=1

5. Which tool are you using?

sync-diff-inspector

6. What version of the tool are you using?

sync-diff-inspector from v8.5.4 release.

ref pingcap/tidb-tools#885