| From: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
|---|---|
| To: | Joe Conway <mail(at)joeconway(dot)com> |
| Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Peter Eisentraut <peter(at)eisentraut(dot)org>, "Koshi Shibagaki (Fujitsu)" <shibagaki(dot)koshi(at)fujitsu(dot)com>, "pgsql-hackers(at)lists(dot)postgresql(dot)org" <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Replace current implementations in crypt() and gen_salt() to OpenSSL |
| Date: | 2024-12-04 14:45:51 |
| Message-ID: | F556EDE9-22E8-4EB0-8015-9A5429A76D41@yesql.se |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> On 4 Dec 2024, at 15:40, Joe Conway <mail(at)joeconway(dot)com> wrote:
>
> On 12/4/24 09:33, Daniel Gustafsson wrote:
>> since OpenSSL 1.1.1 cannot operate in FIPS mode.
>
> I don't think that is correct. The RHEL 8 openssl which was FIPS 140-2 validated is 1.1.1k. See:
>
> https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4642.pdf
Does RHEL publish the source of their fork somewhere? In OpenSSL 1.1.1 the
code for FIPS_mode is:
int FIPS_mode(void)
{
/* This version of the library does not support FIPS mode. */
return 0;
}
Do you know if RHEL patched OpenSSL to allow FIPS_mode() to return other than 0
or if that function is useless regardless?
--
Daniel Gustafsson
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Daniel Gustafsson | 2024-12-04 14:48:00 | Re: add support for the old naming libs convention on windows (ssleay32.lib and libeay32.lib) |
| Previous Message | Joe Conway | 2024-12-04 14:40:20 | Re: Replace current implementations in crypt() and gen_salt() to OpenSSL |