On Mon, Sep 17, 2018 at 02:55:55PM +0000, Alessandro Gherardi wrote:
> Therefore, I believe the best option, at least for now, is calling
> FIPS_mode_set(1) in the application.
I am not so sure about that. As you rightly mention, CentOS and RedHat
patch OpenSSL to allow FIPS to work. Per my research, Ubuntu can also
enable FIPS but that's not the case of Debian, which is very popular (I
may be wrong about the last one but I use it daily).
One question I have is how are you actually able to use FIPS on Windows
with OpenSSL? Is that from one of the tarballs available in
openssl.org, which are more than 1 year old? Pure upstream code does
not give this option, and CentOS/RHEL use a customly-made patch, based
on which Postgres does not complain when calling the low-level hashing
functions, and we rely now on FIPS being enabled system-wide. And that
actually works. It seems to me that you are yourself using a custom
patch for OpenSSL, and that's actually a different flavor than the Linux
version as in your case the low-level hashing functions complain if
called directly in FIPS mode.
At the end, I think that we ought to wait and see if upstream OpenSSL
comes up with support for FIPS and how it integrates with it, on both
Linux *and* Windows, and then consider if Postgres needs to do more.
There is little point in merging now a patch for something which may or
may not be supported by OpenSSL now. My bet, as things stand, is that
we could finish with something similar to what happens on Linux with a
system-wide switch that Postgres knows nothing about. Perhaps that will
not be the case, but let's think about that once we know for sure.
--
Michael