Home > mailing lists

Re: Allow tests to pass in OpenSSL FIPS mode - Mailing list pgsql-hackers

From	Peter Eisentraut
Subject	Re: Allow tests to pass in OpenSSL FIPS mode
Date	October 6, 2023 16:44:40
Msg-id	389e7bd8-dad2-5430-f571-e5ebdc775d2c@eisentraut.org Whole thread Raw
In response to	Re: Allow tests to pass in OpenSSL FIPS mode (Tom Lane <tgl@sss.pgh.pa.us>)
List	pgsql-hackers

Tree view

On 05.10.23 22:04, Tom Lane wrote:
> On the way to testing this, I discovered that we have a usability
> regression with recent OpenSSL releases.  The Fedora 35 installation
> I used to use for testing FIPS-mode behavior would produce errors like

> +ERROR:  could not compute MD5 hash: disabled for FIPS

> In the shiny new Fedora 38 installation I just set up for the
> same purpose, I'm seeing

> +ERROR:  could not compute MD5 hash: unsupported

This makes sense, because the older OpenSSL works basically like

     if (FIPS_mode()) {
         specific_error();
     }

while the new one has all crypto methods in modules, and if you load the 
fips module, then some crypto methods just don't exist.

pgsql-hackers by date:

From: Peter Eisentraut
Date: 06 October 2023, 16:13:57
Subject: Re: ALTER COLUMN ... SET EXPRESSION to alter stored generated column's expression

From: Peter Eisentraut
Date: 06 October 2023, 16:46:24
Subject: Re: Allow tests to pass in OpenSSL FIPS mode

Re: Allow tests to pass in OpenSSL FIPS mode - Mailing list pgsql-hackers

Previous

Next