Postgres Pro
Downloads
Home   >   mailing lists

Re: postgresql 9.3.10, FIPS mode and DRBG issues. - Mailing list pgsql-general

From Rodney Lott
Subject Re: postgresql 9.3.10, FIPS mode and DRBG issues.
Date
Msg-id db0cc2d2a790459db5c489d76f3481dd@WARIO.burlington.evertz.tv
Whole thread Raw
In response to Re: postgresql 9.3.10, FIPS mode and DRBG issues.  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-general
Tree view 
> > So, my question is this: In FIPS mode, what would cause the random
> > number generation to not initialize?
>
> I remember that Red Hat's version of "FIPS mode" involved crypto
> features (including RNGs) just refusing to work in modes deemed
> inadequately secure.  So my guess is that psql is trying to configure
> OpenSSL with some inadequately-secure settings.  Not sure why it'd be
> different from the server though.  Are you sure psql and the libpq it's
> using are same version as the apparently-working server?
>
>             regards, tom lane

Hi, Tom.

Thanks for the quick reply. I'll look into the settings and see what I can find.

I double checked the installed packages and they seem to be from my same postgresql build (i.e. note my timestamp of
1459281538): 

# dpkg -l | grep postgres
ii  postgresql-9.3                      9.3.10-0ubuntu0.14.04~et1~fips~2.0.9~1459281538 amd64        object-relational
SQLdatabase, version 9.3 server 
ii  postgresql-9.3-dbg                  9.3.10-0ubuntu0.14.04~et1~fips~2.0.9~1459281538 amd64        debug symbols for
postgresql-9.3
ii  postgresql-client-9.3               9.3.10-0ubuntu0.14.04~et1~fips~2.0.9~1459281538 amd64        front-end programs
forPostgreSQL 9.3 
ii  postgresql-client-common            154-et1~fips~2.0.9~1459281538                   all          manager for
multiplePostgreSQL client versions 
ii  postgresql-common                   154-et1~fips~2.0.9~1459281538                   all          PostgreSQL
database-clustermanager 
ii  postgresql-contrib-9.3              9.3.10-0ubuntu0.14.04~et1~fips~2.0.9~1459281538 amd64        additional
facilitiesfor PostgreSQL 
ii  postgresql-json-build               1.1.0-et3                                       amd64        json_build
extensionfor postgresql 
ii  postgresql-plpython-9.3             9.3.10-0ubuntu0.14.04~et1~fips~2.0.9~1459281538 amd64        PL/Python
procedurallanguage for PostgreSQL 9.3 
# dpkg -l | grep libpq
ii  libpq5                              9.3.10-0ubuntu0.14.04~et1~fips~2.0.9~1459281538 amd64        PostgreSQL C
clientlibrary 
# dpkg -S /usr/bin/psql
postgresql-client-common: /usr/bin/psql
# dpkg -S /usr/lib/postgresql/9.3/bin/postgres
postgresql-9.3: /usr/lib/postgresql/9.3/bin/postgres
# psql -h 127.0.0.1 -U postgres -d sslmode=require
psql: SSL SYSCALL error (0): EOF detected, err=5

So, I believe that psql and libpq are from the same version as the currently working server.

Regards,

Rodney

pgsql-general by date:

Previous
From: Tom Lane
Date:
Subject: Re: postgresql 9.3.10, FIPS mode and DRBG issues.
Next
From: Kevin Grittner
Date:
Subject: Re: How to quote the COALESCE function?