Re: postgres-10 with FIPS

Hi Community,

Can someone help me on the above request ?

* Would it be possible to share the configure command used in building the
standard postgres package ?
* We would like to build a debian package post the make -- would
checkinstall be the right tool for this purpose ?

Regards,
Aravindhan Krishnan...

On Fri, 4 Dec 2020 at 16:42, Aravindhan Krishnan <aravindhank11(at)gmail(dot)com>
wrote:

> Hi Michael,
>
> Thanks for the quick response. I will try this out.
>
> Would it be possible to share the configure command used in building the
> standard postgres package. There are quite a lot of knobs and we wanted to
> retain the same behaviour from postgres. I am assuming apart from this, I
> might need to set the LDFLAGS, CFLAGS knob to point to include and lib
> directories of FIPS compliant openssl library and includes. Also we would
> like to build a debian package post the make -- would checkinstall be the
> right tool for this purpose ?
>
> Thanks
>
> Regards,
> Aravindhan Krishnan...
>
>
> On Fri, 4 Dec 2020 at 11:13, Michael Paquier <michael(at)paquier(dot)xyz> wrote:
>
>> On Thu, Dec 03, 2020 at 05:57:04PM +0530, Aravindhan Krishnan wrote:
>> > Since postgres is linked against openssl we wanted to make sure we build
>> > postgres against the FIPS compliant openssl libraries. Does postgres
>> > provide a FIPS debian package that can be used. If not it would be of
>> great
>> > help to help with the instructions to build the debian of postgres
>> linked
>> > against the FIPS compliant openssl libraries.
>>
>> There is no need for Postgres to do anything specific with FIPS at
>> runtime, as long as the OS takes care of enabling FIPS and that
>> OpenSSL is able to recognize that. So normally, you could just use a
>> version of Postgres compiled with OpenSSL 1.0.2, and replace the
>> libraries of OpenSSL with a version that is compiled with FIPS enabled
>> as the APIs of OpenSSL used by Postgres are exactly the same for the
>> non-FIPS and FIPS cases.
>> --
>> Michael
>>
>