Re: FIPS mode?

To utilize openssl FIPS, you have to explicitly enable it, per the FIPS
user guide: https://www.openssl.org/docs/fips/UserGuide-2.0.pdf

So, my target would be redhat/centos where openssl FIPS is
certified/available, and then add a configuration parameter to enable it
(much like Apache HTTPD's SSLFIPS directive:
http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslfips).

On Sat, Jun 24, 2017 at 1:51 AM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:

> Michael Paquier <michael(dot)paquier(at)gmail(dot)com> writes:
> > On Sat, Jun 24, 2017 at 12:56 PM, Curtis Ruck
> > <curtis(dot)ruck+pgsql(dot)hackers(at)gmail(dot)com> wrote:
> >> If I clean this up some, maintain styleguide, what is the likely hood of
> >> getting this included in the redhat packages, since redhat ships a
> certified
> >> FIPS implementation?
>
> > So they are applying a custom patch to it already?
>
> Don't believe so. It's been a few years since I was at Red Hat, but
> my recollection is that their approach was that it was a system-wide
> configuration choice changing libc's behavior, and there were only very
> minor fixes required to PG's behavior, all of which got propagated
> upstream (see, eg, commit 01824385a). It sounds like Curtis is trying
> to enable FIPS mode inside Postgres within a system where it isn't enabled
> globally, which according to my recollection has basically nothing to do
> with complying with the actual federal security standard.
>
> regards, tom lane
>