| From: | Michael Paquier <michael(at)paquier(dot)xyz> |
|---|---|
| To: | Bruce Momjian <bruce(at)momjian(dot)us> |
| Cc: | Filip Janus <fjanus(at)redhat(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: SHA-1 FIPS - compliance |
| Date: | 2021-08-20 01:02:14 |
| Message-ID: | YR7/Fi2648tQwCHc@paquier.xyz |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Thu, Jul 08, 2021 at 09:58:35AM -0400, Bruce Momjian wrote:
> On Thu, Jul 8, 2021 at 02:33:33PM +0200, Filip Janus wrote:
>> I am a new maintainer of PostgreSQL in Fedora and RHEL. Currently, I am solving
>> usage SHA-1 for key-derivation in pgcrypto (the s2k-digest-algo). In the
>> documentation, I have found that there are options SHA-1 or MD5. Unfortunately,
>> none of these algorithms are FIPS compliant. So I would like to ask if exists a
>> possibility to add or enable support for some type of stronger hash algorithm?
Patches and improvements are always welcome.
> I don't know of any official way to disable them, but I do know that PG
> 14 will use a different set of algorithms that are more FIPS-compliant
> because we rely more on the OpenSSL for its implementation (or
> blockage).
The set of algorithms supported for pgcrypto does not change. The
only thing that does change is that, by going through the EVP layer
instead of the low-level cryptohash APIs, OpenSSL will not do a blind
exit() when using algos that are not FIPS compliant (MD5 and SHA-1)
when linking to OpenSSL 1.0.2 if FIPS is enabled at system or process
level.
--
Michael
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Mahendra Singh Thalor | 2021-08-20 02:07:52 | Re: Support reset of Shared objects statistics in "pg_stat_reset" function |
| Previous Message | Jacob Champion | 2021-08-20 00:05:19 | Re: badly calculated width of emoji in psql |