| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com> |
| Cc: | pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Allow tests to pass in OpenSSL FIPS mode |
| Date: | 2023-10-05 20:04:04 |
| Message-ID: | 2818708.1696536244@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com> writes:
> Continuing this, we have fixed many issues since. Here is a patch set
> to fix all remaining issues.
On the way to testing this, I discovered that we have a usability
regression with recent OpenSSL releases. The Fedora 35 installation
I used to use for testing FIPS-mode behavior would produce errors like
select md5('') = 'd41d8cd98f00b204e9800998ecf8427e' AS "TRUE";
- TRUE
-------
- t
-(1 row)
-
+ERROR: could not compute MD5 hash: disabled for FIPS
In the shiny new Fedora 38 installation I just set up for the
same purpose, I'm seeing
select md5('') = 'd41d8cd98f00b204e9800998ecf8427e' AS "TRUE";
- TRUE
-------
- t
-(1 row)
-
+ERROR: could not compute MD5 hash: unsupported
This is less user-friendly; moreover it indicates that we're
going to get different output depending on the vintage of
OpenSSL we're testing against, which is going to be a pain for
expected-file maintenance.
I think we need to make an effort to restore the old output
if possible, although I grant that this may be mostly a whim
of OpenSSL's that we can't do much about.
The F35 installation has openssl 1.1.1q, where F38 has
openssl 3.0.9.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jeff Davis | 2023-10-05 20:09:36 | Re: [PoC/RFC] Multiple passwords, interval expirations |
| Previous Message | Laurenz Albe | 2023-10-05 19:54:29 | Re: Good News Everyone! + feature proposal |