My organization is in the process of getting a FIPS certification. I was wondering if anyone who has experience with getting their application FIPS certified using postgres. I have read a little bit about this and saw that you need to compile postgres manually using a FIPS capable version of openssl.
However, I would like to know how you handled the startup self test of postgres and how you handled errors in the crypto module.
I have started investigating compiling postgres using openssl-fips. However, I run into issues when I try to run the make scripts using the fipsld linker.
The error I get is: fipsld -O2 -Wall -Wmissing-prototypes -Wpointer-arith -Wdeclaration-after-statement -Wendif-labels -fno-strict-aliasing -fwrapv -DDEF_PGPORT=5432 -I../../../src /interfaces/libpq -I../../../src/include -D_GNU_SOURCE -I/usr/local/ssl/fips/include -I/usr/local/include -c -o pg_ctl.o pg_ctl.c fipsld -O2 -Wall -Wmissing-prototypes -Wpointer-arith -Wdeclaration-after-statement -Wendif-labels -fno-strict-aliasing -fwrapv pg_ctl.o -L../../../src/port -l pgport -L../../../src/interfaces/libpq -lpq -L../../../src/port -L/usr/local/ssl /fips/lib -L/usr/local/lib -Wl,--as-needed -Wl,-rpath,'/usr/local/pgsql/lib' -lpgport -lssl -lcrypto -lcrypt -ldl -lm -o pg_ctl ./pg_ctl: error while loading shared libraries: libpq.so.5: cannot open shared object file: No such file or directory
Just as a FYI, I am running configure and make in the following manner: > ./configure --with-includes=/usr/local/ssl/fips/include:/usr/local/include --with-libraries=/usr/local/ssl/fips/lib:/usr/local/lib --enable-shared -with-openssl --without-readline --without-zlib