Dhaval Shah wrote:
> I am setting up Postgres for OpenSSL + FIPs.
>
> I am compiling Postgres with OpenSSL FIPS library using the
> "-with-openssl" option. The question I have is, just doing that
> suffice? Or do I have to modify the postgres source code?
>
> Since I read through the OpenSSL FIPS documentation, it mentions to
> take this step as well:
>
> 1. Fips mode initialization via
> a. direct call to FIPS_mode_set() or
> b. indirect call to OPENSSL_config()
>
> With either 1a or 1b, it indicates that I have to modify the postgres
> source code [that looks like a fork and local maintenance of the
> postgres source code].
>
> Of course I would like to hear that -with-openssl option takes care of
> the above and I just have to compile with that option. If not, which
> postgres files should I modify? Is it possible to create a header file
> and compile link it as part of postgres so that when postgres starts
> up, it can do either of the above mentioned calls.
PostgreSQL does not call FIPS_mode_set(), but we *do* call
OPENSSL_config() if the OpenSSL version is >= 0x0907. So with the proper
parameters in your openssl config file, you should be fine without
having to modify the source.
//Magnus
