Re: Allow tests to pass in OpenSSL FIPS mode - Mailing list pgsql-hackers

From Daniel Gustafsson
Subject Re: Allow tests to pass in OpenSSL FIPS mode
Date
Msg-id 8F4E545F-411F-4175-B75F-266842D592AE@yesql.se
Whole thread Raw
In response to Re: Allow tests to pass in OpenSSL FIPS mode  (Peter Eisentraut <peter@eisentraut.org>)
Responses Re: Allow tests to pass in OpenSSL FIPS mode
List pgsql-hackers
> On 15 Nov 2023, at 12:44, Peter Eisentraut <peter@eisentraut.org> wrote:
>
> On 15.11.23 00:07, Tom Lane wrote:
>> I'm more concerned about the 3DES situation.  Fedora might be a bit
>> ahead of the curve here, but according to the link above, everybody is
>> supposed to be in compliance by the end of 2023.  So I'd be inclined
>> to guess that the 3DES-is-rejected case is going to be mainstream
>> before v17 ships.
>
> Right.  It is curious that I have not found any activity in the OpenSSL issue trackers about this.  But if you send
meyour results file, then I can include it in the patch as an alternative expected. 

As NIST SP800-131A allows decryption with 3DES and DES I dont think OpenSSL
will do much other than move it to the legacy module where it can be used
opt-in like DES.  SKIPJACK is already disallowed since before but is still
tested with decryption during FIPS validation.

Using an alternative resultsfile to handle platforms which explicitly removes
disallowed ciphers seem like the right choice.

Since the 3DES/DES deprecations aren't limited to FIPS, do we want to do
anything for pgcrypto where we have DES/3DES encryption?  Maybe a doc patch
which mentions the deprecation with a link to the SP could be in order?

--
Daniel Gustafsson




pgsql-hackers by date:

Previous
From: Adam Hendel
Date:
Subject: Re: [PATCH] pgbench log file headers
Next
From: Gilles Darold
Date:
Subject: Re: Tab completion for CREATE TABLE ... AS