On 02/04/2016 10:13 AM, Lesley Kimmel wrote: > All; > > I'm working with PosgreSQL in a DoD environment and am supposed to > enforce FIPS operation. PostgreSQL doesn't perform a call to > FIP_mode_set() but does provide a configuration item 'ssl_ciphers'. Is > there more to FIPS_mode than I am aware of or would it be functionally > equivalent to simply set my ciphers to something like 'FIPS:!aNULL:!eNULL'? > > As a semi-related question, would a non-FIPS OpenSSL installation still > enforce the same cipher suites but just not be 'officially' validated? Yes, there's a whole lot more to "FIPS 140-2 validated" than just choice of algorithms/ciphers. There is "magical pixie dust" that won't make much sense from a pure software engineering perspective. You can find lots of info online; the Wikipedia article is as good a place as any to start. Also note the OpenSSL FIPS User Guide, https://openssl.org/docs/fips/SecurityPolicy-2.0.pdf. -Steve M. -- Steve Marquess OpenSSL Validation Services, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
