I see that somebody decided to crank up some animals running
RHEL8 and RHEL9 with FIPS mode turned on. The RHEL9 animals
pass on v17 and master, but not older branches; the RHEL8
animals pass nowhere. This is unsurprising given that the
v17-era commits that allowed our regression tests to pass
under FIPS mode (795592865 and a bunch of others) explicitly
targeted only OpenSSL 3:
These new expected files currently cover the FIPS mode provided by
OpenSSL 3.x as well as the modified OpenSSL 3.x from Red Hat (e.g.,
Fedora 38), but not the modified OpenSSL 1.x from Red Hat (e.g.,
Fedora 35). (The latter will have some error message wording
differences.)
I'm kind of disinclined to do all the work that'd be needed to turn
these animals completely green, especially when the reason to do it
seems to be that someone decided we should without any community
consultation. Perhaps others have different opinions though.
Thoughts?
regards, tom lane
