Re: postgres-10 with FIPS

Hi Michael,

Thanks for the quick response. I will try this out.

Would it be possible to share the configure command used in building the
standard postgres package. There are quite a lot of knobs and we wanted to
retain the same behaviour from postgres. I am assuming apart from this, I
might need to set the LDFLAGS, CFLAGS knob to point to include and lib
directories of FIPS compliant openssl library and includes. Also we would
like to build a debian package post the make -- would checkinstall be the
right tool for this purpose ?

Thanks

Regards,
Aravindhan Krishnan...

On Fri, 4 Dec 2020 at 11:13, Michael Paquier <michael(at)paquier(dot)xyz> wrote:

> On Thu, Dec 03, 2020 at 05:57:04PM +0530, Aravindhan Krishnan wrote:
> > Since postgres is linked against openssl we wanted to make sure we build
> > postgres against the FIPS compliant openssl libraries. Does postgres
> > provide a FIPS debian package that can be used. If not it would be of
> great
> > help to help with the instructions to build the debian of postgres linked
> > against the FIPS compliant openssl libraries.
>
> There is no need for Postgres to do anything specific with FIPS at
> runtime, as long as the OS takes care of enabling FIPS and that
> OpenSSL is able to recognize that. So normally, you could just use a
> version of Postgres compiled with OpenSSL 1.0.2, and replace the
> libraries of OpenSSL with a version that is compiled with FIPS enabled
> as the APIs of OpenSSL used by Postgres are exactly the same for the
> non-FIPS and FIPS cases.
> --
> Michael
>