From: | Alessandro Gherardi <alessandro(dot)gherardi(at)yahoo(dot)com> |
---|---|
To: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, Michael Paquier <michael(at)paquier(dot)xyz> |
Cc: | "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
Subject: | Re: scram-sha-256 authentication broken in FIPS mode |
Date: | 2018-09-17 14:55:55 |
Message-ID: | 1940555821.4092541.1537196155707@mail.yahoo.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Here's a patch for enabling FIPS in OpenSSL - by calling FIPS_mode_set(1) - on Windows if the FIPS registry entry HKLM\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\Enabled is set to 1. That's the entry that the .NET crypto libraries look at to decide whether or not to operate in FIPS mode.
I thought of submitting a pull request for adding this logic to OpenSSL, however (1) https://www.openssl.org/source/ says they are working on a new FIPS module, so I doubt they would take a pull request for OpenSSL 1.0.X and (2) For Linux, this logic doesn't exist on the standard OpenSSL distribution but only on the RHEL-specific OpenSSL patch (See method init_fips_mode() in https://git.centos.org/raw/rpms/openssl.git/c7/SOURCES!openssl-1.0.2i-fips.patch ).
Therefore, I believe the best option, at least for now, is calling FIPS_mode_set(1) in the application.
Attachment | Content-Type | Size |
---|---|---|
0001-On-Windows-call-FIPS_mode_set-1-if-FIPS-registry-ent.patch | application/octet-stream | 3.1 KB |
From | Date | Subject | |
---|---|---|---|
Next Message | Merlin Moncure | 2018-09-17 15:10:24 | Re: Logical locking beyond pg_advisory |
Previous Message | Igor Korot | 2018-09-17 14:50:28 | Re: How to watch for schema changes |