On Mon, Sep 17, 2018 at 02:55:55PM +0000, Alessandro Gherardi wrote: > Therefore, I believe the best option, at least for now, is calling > FIPS_mode_set(1) in the application. I am not so sure about that. As you rightly mention, CentOS and RedHat patch OpenSSL to allow FIPS to work. Per my research, Ubuntu can also enable FIPS but that's not the case of Debian, which is very popular (I may be wrong about the last one but I use it daily). One question I have is how are you actually able to use FIPS on Windows with OpenSSL? Is that from one of the tarballs available in openssl.org, which are more than 1 year old? Pure upstream code does not give this option, and CentOS/RHEL use a customly-made patch, based on which Postgres does not complain when calling the low-level hashing functions, and we rely now on FIPS being enabled system-wide. And that actually works. It seems to me that you are yourself using a custom patch for OpenSSL, and that's actually a different flavor than the Linux version as in your case the low-level hashing functions complain if called directly in FIPS mode. At the end, I think that we ought to wait and see if upstream OpenSSL comes up with support for FIPS and how it integrates with it, on both Linux *and* Windows, and then consider if Postgres needs to do more. There is little point in merging now a patch for something which may or may not be supported by OpenSSL now. My bet, as things stand, is that we could finish with something similar to what happens on Linux with a system-wide switch that Postgres knows nothing about. Perhaps that will not be the case, but let's think about that once we know for sure. -- Michael
Attachment:
signature.asc
Description: PGP signature
