Re: postgres-10 with FIPS - Mailing list pgsql-general

From Joe Conway
Subject Re: postgres-10 with FIPS
Date
Msg-id 20c41b71-278b-a6c3-fea8-eab50a4e11fa@joeconway.com
Whole thread Raw
In response to Re: postgres-10 with FIPS  (Aravindhan Krishnan <aravindhank11@gmail.com>)
List pgsql-general
On 12/9/20 4:51 AM, Aravindhan Krishnan wrote:
> The paid version I had mentioned about was the paid OS (ubuntu) for FIPS
> compliancy. I understand that postgres as is completely available for open-source.
>
> Since we can't get the paid version of the OS to support FIPS compliancy the
> idea was to build postgres against FIPS compliant SSL/crypto of 1.0.2g and get
> it to work on ubuntu 20.04 for which I was interested in the configure option.

Actual FIPS compliance is held by the distributor of the SSL library you use.

While you can, for example, configure a CentOS 7 system to be in "FIPS mode", it
is still not "FIPS compliant" if you didn't get the bits (the SSL library
itself) from Red Hat (which you did not if you are running CentOS).

The situation is the same with Ubuntu, except as far as I am aware you cannot
even get your hands on the SSL library for "FIPS mode" from Ubuntu unless you
pay them, unlike CentOS.

So no matter what you do with Postgres itself, you will not be FIPS compliant
without paying RHEL/Ubuntu/SUSE or getting your stack certified yourself (which
is not likely something you will want to do and would cost you more anyway).

HTH,

Joe

--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development


Attachment

pgsql-general by date:

Previous
From: electrotype
Date:
Subject: Re: JDBC driver - is "getGeneratedKeys()" guaranteed to return the ids in the same order a batch insert was made?
Next
From: Tom Lane
Date:
Subject: Re: Execution order of CTEs / set_config and current_setting in the same query