On 06/23/2017 10:51 PM, Tom Lane wrote:
> Michael Paquier <michael.paquier@gmail.com> writes:
>> On Sat, Jun 24, 2017 at 12:56 PM, Curtis Ruck
>> <curtis.ruck+pgsql.hackers@gmail.com> wrote:
>>> If I clean this up some, maintain styleguide, what is the likely hood of
>>> getting this included in the redhat packages, since redhat ships a certified
>>> FIPS implementation?
>
>> So they are applying a custom patch to it already?
>
> Don't believe so. It's been a few years since I was at Red Hat, but
> my recollection is that their approach was that it was a system-wide
> configuration choice changing libc's behavior, and there were only very
> minor fixes required to PG's behavior, all of which got propagated
> upstream (see, eg, commit 01824385a). It sounds like Curtis is trying
> to enable FIPS mode inside Postgres within a system where it isn't enabled
> globally, which according to my recollection has basically nothing to do
> with complying with the actual federal security standard.
Yes, see the PostgreSQL DISA STIG for a discussion with respect to that:
https://www.crunchydata.com/postgres-stig/PGSQL-STIG-9.5+.pdf
HTH,
Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development