On 1/27/22 12:23 AM, pramod kg wrote:
How to determine whether PG installed in a server is FIPS aware or
not(FIPS 140-2 compliant)? We are doing RPM based installation.
On 1/27/22 1:15 AM, Tom Lane wrote:
pramod kg <pramod11287@xxxxxxxxx> writes:
I executed query. Got output.
postgres=# SELECT md5('foo');
md5
----------------------------------
acbd18db4cc2f85cedef654fccc4a4d8
(1 row)
Oh, my mistake --- that only applies in v14 and later, before
that md5() always uses a built-in implementation.
See the STIG that Imram mentioned.
Ensuring you are actually "FIPS 140-2 compliant" is much more complex
than most people imagine.
See:
https://blog.crunchydata.com/blog/postgres-and-crypto-supply-chain-of-integrity
Also, see the tip of the master branch of pgnodemx:
https://github.com/CrunchyData/pgnodemx
8<-----------------------
-- this will be in next release
-- i.e. pgnodemx v1.0.6
select openssl_version();
openssl_version
----------------------------------
OpenSSL 1.1.1k FIPS 25 Mar 2021
(1 row)
-- these are already in pgnodemx v1.0.5
select openssl_version();
openssl_version
----------------------------------
OpenSSL 1.1.1k FIPS 25 Mar 2021
(1 row)
select symbol_filename('FIPS_mode');
symbol_filename
--------------------------------
/usr/lib64/libcrypto.so.1.1.1k
(1 row)
nmx=# select fips_mode();
fips_mode
-----------
f
(1 row)
8<-----------------------
I expect pgnodemx v1.0.6 will be release very soon.
HTH,
Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development
