Thanks for the quick response. I will try this out.
Would it be possible to share the configure command used in building the standard postgres package. There are quite a lot of knobs and we wanted to retain the same behaviour from postgres. I am assuming apart from this, I might need to set the LDFLAGS, CFLAGS knob to point to include and lib directories of FIPS compliant openssl library and includes. Also we would like to build a debian package post the make -- would checkinstall be the right tool for this purpose ?
On Thu, Dec 03, 2020 at 05:57:04PM +0530, Aravindhan Krishnan wrote: > Since postgres is linked against openssl we wanted to make sure we build > postgres against the FIPS compliant openssl libraries. Does postgres > provide a FIPS debian package that can be used. If not it would be of great > help to help with the instructions to build the debian of postgres linked > against the FIPS compliant openssl libraries.
There is no need for Postgres to do anything specific with FIPS at runtime, as long as the OS takes care of enabling FIPS and that OpenSSL is able to recognize that. So normally, you could just use a version of Postgres compiled with OpenSSL 1.0.2, and replace the libraries of OpenSSL with a version that is compiled with FIPS enabled as the APIs of OpenSSL used by Postgres are exactly the same for the non-FIPS and FIPS cases. -- Michael