Thread: FIPS-related Error: Password Must Be at Least 112 Bits on Postgres 14, Unlike in Postgres 11
FIPS-related Error: Password Must Be at Least 112 Bits on Postgres 14, Unlike in Postgres 11
Hey PostgreSQL experts,
I have encountered an issue related to FIPS mode while setting up two different configurations. The first configuration consists of PostgreSQL 11 with MD5 password encryption and FIPS mode enabled. The second configuration involves PostgreSQL 14 with scram-sha-256 password encryption and FIPS mode enabled. Both configurations can be used as a database in a cluster.
The OpenSSL version I am using is OpenSSL 1.0.2zd-fips, released on 15th March 2022.
During the cluster setup, specifically the database setup, I have observed that the first configuration sets up successfully. However, the second configuration with PostgreSQL 14 fails with the following error:
Exception in thread "main" com.safelogic.cryptocomply.crypto.fips.FipsUnapprovedOperationError: password must be at least 112 bits at com.safelogic.cryptocomply.crypto.fips.FipsPBKD$Parameters.<init>(FipsPBKD.java:90) at com.safelogic.cryptocomply.crypto.fips.FipsPBKD$Parameters.<init>(FipsPBKD.java:63) at com.safelogic.cryptocomply.crypto.fips.FipsPBKD$ParametersBuilder.using(FipsPBKD.java:56) at com.safelogic.cryptocomply.jcajce.provider.ProvPBEPBKDF2$BasePBKDF2.engineGenerateSecret(ProvPBEPBKDF2.java:249) at javax.crypto.SecretKeyFactory.generateSecret(SecretKeyFactory.java:336) at org.postgresql.shaded.com.ongres.scram.common.util.CryptoUtil.hi(CryptoUtil.java:120) at org.postgresql.shaded.com.ongres.scram.common.ScramMechanisms.saltedPassword(ScramMechanisms.java:154) at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.saltedPassword(ScramFunctions.java:59) at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:196) at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:163) at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ServerFirstProcessor.clientFinalProcessor(ScramSession.java:130) at org.postgresql.jre7.sasl.ScramAuthenticator.processServerFirstMessage(ScramAuthenticator.java:147) at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:778) at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:161) at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:213) at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:51) at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:225)
I am puzzled as to why this error occurs only with PostgreSQL 14 and not with PostgreSQL 11.
Re: FIPS-related Error: Password Must Be at Least 112 Bits on Postgres 14, Unlike in Postgres 11
On Thu, Jun 22, 2023 at 07:16:21PM +0530, Abhishek Dasgupta wrote: > I am puzzled as to why this error occurs only with PostgreSQL 14 and not > with PostgreSQL 11. This error is specific to the Postgres JDBC driver, which relies on its own application layer for FIPS and SCRAM because it speaks directly the protocol and because it has no dependency to libpq. Are there any specific failures you are seeing in the PostgreSQL backend that you find confusing? -- Michael
Attachment
Re: FIPS-related Error: Password Must Be at Least 112 Bits on Postgres 14, Unlike in Postgres 11
Hey Michael,Thanks for the reply.This error is specific to the Postgres JDBC driver, which relies on
its own application layer for FIPS and SCRAM because it speaks
directly the protocol and because it has no dependency to libpq.The thing is we are currently using the same password, which is less than 112 bits in length, for both versions 11 and 14 of Postgres. Although I am not a Postgres expert, I would like to understand the specific changes in the Postgres JDBC driver that are causing this error in postgres14Could you please clarify if the Postgres JDBC driver has been updated between Postgres 11 and 14? I am also interested in knowing how I can investigate the root cause within the Postgres JDBC driver itself.
Additionally, I would like to inquire if there are any alternative steps to resolve this issue without requiring a password change to a length greater than 14 characters.
Are there any specific failures you are seeing in the PostgreSQL backend
that you find confusing?The FIPS error is the main source of confusion for me. It seems that this error occurs specifically during the cluster setup, which subsequently leads to the failure of the DB setup.On Fri, Jun 23, 2023 at 3:56 AM Michael Paquier <michael@paquier.xyz> wrote:On Thu, Jun 22, 2023 at 07:16:21PM +0530, Abhishek Dasgupta wrote:
> I am puzzled as to why this error occurs only with PostgreSQL 14 and not
> with PostgreSQL 11.
This error is specific to the Postgres JDBC driver, which relies on
its own application layer for FIPS and SCRAM because it speaks
directly the protocol and because it has no dependency to libpq. Are
there any specific failures you are seeing in the PostgreSQL backend
that you find confusing?
--
Michael