From: | Curtis Ruck <curtis(dot)ruck+pgsql(dot)hackers(at)gmail(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
Cc: | "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: FIPS mode? |
Date: | 2017-06-24 22:29:28 |
Message-ID: | CAFgGLFc9gW9N7jXaGGV_QBdC+FMd8D=QteX+990BiTgVuc_Bog@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
To utilize openssl FIPS, you have to explicitly enable it, per the FIPS
user guide: https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
So, my target would be redhat/centos where openssl FIPS is
certified/available, and then add a configuration parameter to enable it
(much like Apache HTTPD's SSLFIPS directive:
http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslfips).
On Sat, Jun 24, 2017 at 1:51 AM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Michael Paquier <michael(dot)paquier(at)gmail(dot)com> writes:
> > On Sat, Jun 24, 2017 at 12:56 PM, Curtis Ruck
> > <curtis(dot)ruck+pgsql(dot)hackers(at)gmail(dot)com> wrote:
> >> If I clean this up some, maintain styleguide, what is the likely hood of
> >> getting this included in the redhat packages, since redhat ships a
> certified
> >> FIPS implementation?
>
> > So they are applying a custom patch to it already?
>
> Don't believe so. It's been a few years since I was at Red Hat, but
> my recollection is that their approach was that it was a system-wide
> configuration choice changing libc's behavior, and there were only very
> minor fixes required to PG's behavior, all of which got propagated
> upstream (see, eg, commit 01824385a). It sounds like Curtis is trying
> to enable FIPS mode inside Postgres within a system where it isn't enabled
> globally, which according to my recollection has basically nothing to do
> with complying with the actual federal security standard.
>
> regards, tom lane
>
From | Date | Subject | |
---|---|---|---|
Next Message | Andres Freund | 2017-06-25 00:09:52 | Re: subscription worker signalling wal writer too much |
Previous Message | Joe Conway | 2017-06-24 17:41:27 | Re: FIPS mode? |