Re: Postgres in FIPS

Yes, we require SSL connections, because we have multiple clients that
access the database external from the server where the database resides.
Michael
On Tue, Jan 11, 2011 at 10:36 PM, Kenneth Buckler <kenneth(dot)buckler(at)gmail(dot)com
> wrote:

> Something to think about here....does your database actually require
> encryption? Or is the encryption handled between remote user and
> application?
> If your database is shared locally on the same server as your
> application, then you shouldn't need FIPS encryption since the
> communication between database and application never leaves the
> system.
> Unless you have really strict application requirements.
>
> Ken
>
> On Tue, Jan 11, 2011 at 4:03 PM, M Sabin <postgres(at)sabes(dot)net> wrote:
> > Hello,
> >
> > My organization is in the process of getting a FIPS certification. I was
> > wondering if anyone who has experience with getting their application
> FIPS
> > certified using postgres. I have read a little bit about this and saw
> that
> > you need to compile postgres manually using a FIPS capable version of
> > openssl.
> >
> > However, I would like to know how you handled the startup self test of
> > postgres and how you handled errors in the crypto module.
> >
> > I have started investigating compiling postgres using openssl-fips.
> > However, I run into issues when I try to run the make scripts using the
> > fipsld linker.
> >
> > The error I get is:
> > fipsld -O2 -Wall -Wmissing-prototypes -Wpointer-arith
> > -Wdeclaration-after-statement -Wendif-labels -fno-strict-aliasing -fwrapv
> > -DDEF_PGPORT=5432 -I../../../src
> > /interfaces/libpq -I../../../src/include -D_GNU_SOURCE
> > -I/usr/local/ssl/fips/include -I/usr/local/include -c -o pg_ctl.o
> pg_ctl.c
> > fipsld -O2 -Wall -Wmissing-prototypes -Wpointer-arith
> > -Wdeclaration-after-statement -Wendif-labels -fno-strict-aliasing -fwrapv
> > pg_ctl.o -L../../../src/port -l pgport
> > -L../../../src/interfaces/libpq -lpq -L../../../src/port
> > -L/usr/local/ssl
> > /fips/lib -L/usr/local/lib -Wl,--as-needed
> -Wl,-rpath,'/usr/local/pgsql/lib'
> > -lpgport -lssl -lcrypto -lcrypt -ldl -lm -o pg_ctl
> > ./pg_ctl: error while loading shared libraries: libpq.so.5: cannot open
> > shared object file: No such file or directory
> >
> >
> > Just as a FYI, I am running configure and make in the following manner:
> >> ./configure
> --with-includes=/usr/local/ssl/fips/include:/usr/local/include
> >> --with-libraries=/usr/local/ssl/fips/lib:/usr/local/lib --enable-shared
> >> -with-openssl --without-readline --without-zlib
> >
> >> make CC=fipsld FIPSLD_CC=gcc
> >
> > Thanks for any help
> >
>