Re: [HACKERS] FIPS mode? - Mailing list pgsql-hackers

From Curtis Ruck
Subject Re: [HACKERS] FIPS mode?
Date
Msg-id CAFgGLFc9gW9N7jXaGGV_QBdC+FMd8D=QteX+990BiTgVuc_Bog@mail.gmail.com
Whole thread Raw
In response to Re: [HACKERS] FIPS mode?  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-hackers
To utilize openssl FIPS, you have to explicitly enable it, per the FIPS user guide: https://www.openssl.org/docs/fips/UserGuide-2.0.pdf

So, my target would be redhat/centos where openssl FIPS is certified/available, and then add a configuration parameter to enable it (much like Apache HTTPD's SSLFIPS directive: http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslfips).

On Sat, Jun 24, 2017 at 1:51 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
Michael Paquier <michael.paquier@gmail.com> writes:
> On Sat, Jun 24, 2017 at 12:56 PM, Curtis Ruck
> <curtis.ruck+pgsql.hackers@gmail.com> wrote:
>> If I clean this up some, maintain styleguide, what is the likely hood of
>> getting this included in the redhat packages, since redhat ships a certified
>> FIPS implementation?

> So they are applying a custom patch to it already?

Don't believe so.  It's been a few years since I was at Red Hat, but
my recollection is that their approach was that it was a system-wide
configuration choice changing libc's behavior, and there were only very
minor fixes required to PG's behavior, all of which got propagated
upstream (see, eg, commit 01824385a).  It sounds like Curtis is trying
to enable FIPS mode inside Postgres within a system where it isn't enabled
globally, which according to my recollection has basically nothing to do
with complying with the actual federal security standard.

                        regards, tom lane

pgsql-hackers by date:

Previous
From: Joe Conway
Date:
Subject: Re: [HACKERS] FIPS mode?
Next
From: Andres Freund
Date:
Subject: Re: [HACKERS] subscription worker signalling wal writer too much