Re: New buildfarm animals with FIPS mode enabled

Daniel Gustafsson <daniel@yesql.se> writes:
> On 17 Feb 2025, at 17:26, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> I believe the main concern is OpenSSL 1.x versus 3.x, not a specific
>> platform.

> Isn't it postgres version mostly?  We fixed so the testsuite passed on FIPS
> enabled machines by just not using anything that violates FIPS but I don't
> remember anything OpenSSL version specific.

No, there are two distinct problems:

1. We "support" FIPS in the regression tests by providing variant
expected-files that represent the error messages that you'll get in
FIPS mode.  Currently, there's only one such variant file per test
and it shows the error message spelling you get from OpenSSL 3.x.
1.x has a different spelling, cf [1].

2. None of this support existed before PG v17.

It'd be practical to crank up FIPS-mode BF animals on OpenSSL 3.x
platforms so long as you make them test only branches >= v17.
Such animals on OpenSSL 1.x will fail on all branches.

Obviously, we could talk about extending the regression tests'
support for these cases, but I'm really dubious that it's worth
the work.

            regards, tom lane

[1] https://buildfarm.postgresql.org/cgi-bin/show_log.pl?nm=cixiid&dt=2025-02-13%2009%3A27%3A17