Home > mailing lists

Re: scram-sha-256 authentication broken in FIPS mode - Mailing list pgsql-general

From	Alessandro Gherardi
Subject	Re: scram-sha-256 authentication broken in FIPS mode
Date	September 7, 2018 12:27:33
Msg-id	1924578892.946938.1536301653576@mail.yahoo.com Whole thread Raw
In response to	scram-sha-256 authentication broken in FIPS mode (Alessandro Gherardi <alessandro.gherardi@yahoo.com>)
Responses	Re: scram-sha-256 authentication broken in FIPS mode (Alessandro Gherardi <alessandro.gherardi@yahoo.com>)
List	pgsql-general

Tree view

Hi Michael,

I'm attaching the output of diff <updated source file> <original source file>.

> If we could prove that sha2-openssl.c is actually
unreliable even if FIPS is enabled system-wide with either SCRAM
authentication or any of the other hashing functions, then I would be
ready to accept a patch. Now, as far as I can see and heard from other
folks for at least Linux, if FIPS is enabled at the OS level, then
Postgres would use it automatically and SCRAM is able to work.

Not sure why it works on Linux but not on Windows. That the low-level digest APIs can't be used when FIPS is enabled is by design, other people have encountered that problem, e.g., http://openssl.6102.n7.nabble.com/Low-Level-Digest-if-Fips-mode-td54983.html .

Thanks,

Alessandro

Attachment

pgsql-general by date:

From: Ron
Date: 07 September 2018, 12:21:26
Subject: pgbackrest when data/base is symlinked to another volume

From: Fabio Pardi
Date: 07 September 2018, 14:07:07
Subject: A Timeseries Case Study: InfluxDB VS PostgreSQL

Re: scram-sha-256 authentication broken in FIPS mode - Mailing list pgsql-general

Attachment

Previous

Next