From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
---|---|
To: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
Cc: | Joe Conway <mail(at)joeconway(dot)com>, Peter Eisentraut <peter(at)eisentraut(dot)org>, "Koshi Shibagaki (Fujitsu)" <shibagaki(dot)koshi(at)fujitsu(dot)com>, "pgsql-hackers(at)lists(dot)postgresql(dot)org" <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
Subject: | Re: Replace current implementations in crypt() and gen_salt() to OpenSSL |
Date: | 2024-12-04 14:39:41 |
Message-ID: | CA+TgmoYz85dnX2SktK+EhnhxTjDdq6tZNPjuwvCBhgwSz3iDRA@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Wed, Dec 4, 2024 at 9:33 AM Daniel Gustafsson <daniel(at)yesql(dot)se> wrote:
> > The comment suggests to me that if the user happened to be using
> > OpenSSL 1.1.1 and CheckLegacyCryptoMode() was called, the expected
> > outcome would be an error, but it will just return.
>
> I think I know what you mean, but just to be clear so I know what to reword,
> the comment in the code or the above quoted email?
>
> If the GUC is set to fips it will mimic the OpenSSL setting (disallow when
> OpenSSL is in FIPS mode and allow when OpenSSL isn't in FIPS mode), and thus
> allow internal crypto since OpenSSL 1.1.1 cannot operate in FIPS mode. If the
> GUC is set to on or off it will allow or disallow built-in crypto without
> considering the OpenSSL state.
Never mind, I was being stupid.
*wanders off to find a paper bag*
--
Robert Haas
EDB: http://www.enterprisedb.com
From | Date | Subject | |
---|---|---|---|
Next Message | Joe Conway | 2024-12-04 14:40:20 | Re: Replace current implementations in crypt() and gen_salt() to OpenSSL |
Previous Message | Robert Haas | 2024-12-04 14:38:30 | Re: Eager aggregation, take 3 |