Home > mailing lists

Re: Replace current implementations in crypt() and gen_salt() to OpenSSL - Mailing list pgsql-hackers

From	Robert Haas
Subject	Re: Replace current implementations in crypt() and gen_salt() to OpenSSL
Date	December 4 20:39:41
Msg-id	CA+TgmoYz85dnX2SktK+EhnhxTjDdq6tZNPjuwvCBhgwSz3iDRA@mail.gmail.com Whole thread Raw
In response to	Re: Replace current implementations in crypt() and gen_salt() to OpenSSL (Daniel Gustafsson <daniel@yesql.se>)
List	pgsql-hackers

Tree view

On Wed, Dec 4, 2024 at 9:33 AM Daniel Gustafsson <daniel@yesql.se> wrote:
> > The comment suggests to me that if the user happened to be using
> > OpenSSL 1.1.1 and CheckLegacyCryptoMode() was called, the expected
> > outcome would be an error, but it will just return.
>
> I think I know what you mean, but just to be clear so I know what to reword,
> the comment in the code or the above quoted email?
>
> If the GUC is set to fips it will mimic the OpenSSL setting (disallow when
> OpenSSL is in FIPS mode and allow when OpenSSL isn't in FIPS mode), and thus
> allow internal crypto since OpenSSL 1.1.1 cannot operate in FIPS mode.  If the
> GUC is set to on or off it will allow or disallow built-in crypto without
> considering the OpenSSL state.

Never mind, I was being stupid.

*wanders off to find a paper bag*

--
Robert Haas
EDB: http://www.enterprisedb.com

pgsql-hackers by date:

From: Robert Haas
Date: 04 December, 20:38:30
Subject: Re: Eager aggregation, take 3

From: Joe Conway
Date: 04 December, 20:40:20
Subject: Re: Replace current implementations in crypt() and gen_salt() to OpenSSL

Re: Replace current implementations in crypt() and gen_salt() to OpenSSL - Mailing list pgsql-hackers

Previous

Next