Re: postgres-10 with FIPS

On 12/9/20 4:51 AM, Aravindhan Krishnan wrote:
> The paid version I had mentioned about was the paid OS (ubuntu) for FIPS
> compliancy. I understand that postgres as is completely available for open-source.
>
> Since we can't get the paid version of the OS to support FIPS compliancy the
> idea was to build postgres against FIPS compliant SSL/crypto of 1.0.2g and get
> it to work on ubuntu 20.04 for which I was interested in the configure option.

Actual FIPS compliance is held by the distributor of the SSL library you use.

While you can, for example, configure a CentOS 7 system to be in "FIPS mode", it
is still not "FIPS compliant" if you didn't get the bits (the SSL library
itself) from Red Hat (which you did not if you are running CentOS).

The situation is the same with Ubuntu, except as far as I am aware you cannot
even get your hands on the SSL library for "FIPS mode" from Ubuntu unless you
pay them, unlike CentOS.

So no matter what you do with Postgres itself, you will not be FIPS compliant
without paying RHEL/Ubuntu/SUSE or getting your stack certified yourself (which
is not likely something you will want to do and would cost you more anyway).

HTH,

Joe

--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development