Bruce,
In my experience, any client is permitted to connect to FIPS140-2 compliant server. I set this up when I worked at
SSA,at management’s request.
—
Jay
Sent from my iPad
> On Sep 25, 2020, at 3:13 PM, Bruce Momjian <bruce@momjian.us> wrote:
>
> On Fri, Sep 25, 2020 at 03:56:53PM +0900, Michael Paquier wrote:
>>> On Fri, Sep 25, 2020 at 01:36:44AM -0400, Tom Lane wrote:
>>> Peter Eisentraut <peter.eisentraut@2ndquadrant.com> writes:
>>>> However, again, the SCRAM
>>>> implementation would already appear to fail that requirement because it
>>>> uses a custom HMAC implementation, and HMAC is listed in FIPS 140-2 as a
>>>> covered algorithm.
>>>
>>> Ugh. But is there any available FIPS-approved library code that could be
>>> used instead?
>>
>> That's a good point, and I think that this falls down to use OpenSSL's
>> HMAC_* interface for this job when building with OpenSSL:
>> https://www.openssl.org/docs/man1.1.1/man3/HMAC.html
>>
>> Worth noting that these have been deprecated in 3.0.0 as per the
>> rather-recent commit dbde472, where they recommend the use of
>> EVP_MAC_*() instead.
>
> Would a FIPS server only be able to talk to a FIPS client, or would our
> internal code produce the same output?
>
> --
> Bruce Momjian <bruce@momjian.us> https://momjian.us
> EnterpriseDB https://enterprisedb.com
>
> The usefulness of a cup is in its emptiness, Bruce Lee
>
>
>