| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Dhaval Shah <dhaval(dot)shah(dot)m(at)gmail(dot)com> |
| Cc: | pgsql-general <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: Question regarding Postgres + OpenSSL + FIPs |
| Date: | 2009-01-16 12:27:04 |
| Message-ID: | 49707D18.5070901@hagander.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Dhaval Shah wrote:
> I am setting up Postgres for OpenSSL + FIPs.
>
> I am compiling Postgres with OpenSSL FIPS library using the
> "-with-openssl" option. The question I have is, just doing that
> suffice? Or do I have to modify the postgres source code?
>
> Since I read through the OpenSSL FIPS documentation, it mentions to
> take this step as well:
>
> 1. Fips mode initialization via
> a. direct call to FIPS_mode_set() or
> b. indirect call to OPENSSL_config()
>
> With either 1a or 1b, it indicates that I have to modify the postgres
> source code [that looks like a fork and local maintenance of the
> postgres source code].
>
> Of course I would like to hear that -with-openssl option takes care of
> the above and I just have to compile with that option. If not, which
> postgres files should I modify? Is it possible to create a header file
> and compile link it as part of postgres so that when postgres starts
> up, it can do either of the above mentioned calls.
PostgreSQL does not call FIPS_mode_set(), but we *do* call
OPENSSL_config() if the OpenSSL version is >= 0x0907. So with the proper
parameters in your openssl config file, you should be fine without
having to modify the source.
//Magnus
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Glyn Astill | 2009-01-16 13:36:35 | Diff tool for two schema |
| Previous Message | Jeff Davis | 2009-01-16 06:04:29 | Re: Query sometimes takes down server |