Re: FIPS mode?

On 06/23/2017 10:51 PM, Tom Lane wrote:
> Michael Paquier <michael(dot)paquier(at)gmail(dot)com> writes:
>> On Sat, Jun 24, 2017 at 12:56 PM, Curtis Ruck
>> <curtis(dot)ruck+pgsql(dot)hackers(at)gmail(dot)com> wrote:
>>> If I clean this up some, maintain styleguide, what is the likely hood of
>>> getting this included in the redhat packages, since redhat ships a certified
>>> FIPS implementation?
>
>> So they are applying a custom patch to it already?
>
> Don't believe so. It's been a few years since I was at Red Hat, but
> my recollection is that their approach was that it was a system-wide
> configuration choice changing libc's behavior, and there were only very
> minor fixes required to PG's behavior, all of which got propagated
> upstream (see, eg, commit 01824385a). It sounds like Curtis is trying
> to enable FIPS mode inside Postgres within a system where it isn't enabled
> globally, which according to my recollection has basically nothing to do
> with complying with the actual federal security standard.

Yes, see the PostgreSQL DISA STIG for a discussion with respect to that:

https://www.crunchydata.com/postgres-stig/PGSQL-STIG-9.5+.pdf

HTH,

Joe

--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development