Dhaval Shah wrote: > I am setting up Postgres for OpenSSL + FIPs. > > I am compiling Postgres with OpenSSL FIPS library using the > "-with-openssl" option. The question I have is, just doing that > suffice? Or do I have to modify the postgres source code? > > Since I read through the OpenSSL FIPS documentation, it mentions to > take this step as well: > > 1. Fips mode initialization via > a. direct call to FIPS_mode_set() or > b. indirect call to OPENSSL_config() > > With either 1a or 1b, it indicates that I have to modify the postgres > source code [that looks like a fork and local maintenance of the > postgres source code]. > > Of course I would like to hear that -with-openssl option takes care of > the above and I just have to compile with that option. If not, which > postgres files should I modify? Is it possible to create a header file > and compile link it as part of postgres so that when postgres starts > up, it can do either of the above mentioned calls. PostgreSQL does not call FIPS_mode_set(), but we *do* call OPENSSL_config() if the OpenSSL version is >= 0x0907. So with the proper parameters in your openssl config file, you should be fine without having to modify the source. //Magnus -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
