Something to think about here....does your database actually require
encryption? Or is the encryption handled between remote user and
application?
If your database is shared locally on the same server as your
application, then you shouldn't need FIPS encryption since the
communication between database and application never leaves the
system.
Unless you have really strict application requirements.
Ken
On Tue, Jan 11, 2011 at 4:03 PM, M Sabin <postgres@sabes.net> wrote:
> Hello,
>
> My organization is in the process of getting a FIPS certification. I was
> wondering if anyone who has experience with getting their application FIPS
> certified using postgres. I have read a little bit about this and saw that
> you need to compile postgres manually using a FIPS capable version of
> openssl.
>
> However, I would like to know how you handled the startup self test of
> postgres and how you handled errors in the crypto module.
>
> I have started investigating compiling postgres using openssl-fips.
> However, I run into issues when I try to run the make scripts using the
> fipsld linker.
>
> The error I get is:
> fipsld -O2 -Wall -Wmissing-prototypes -Wpointer-arith
> -Wdeclaration-after-statement -Wendif-labels -fno-strict-aliasing -fwrapv
> -DDEF_PGPORT=5432 -I../../../src
> /interfaces/libpq -I../../../src/include -D_GNU_SOURCE
> -I/usr/local/ssl/fips/include -I/usr/local/include -c -o pg_ctl.o pg_ctl.c
> fipsld -O2 -Wall -Wmissing-prototypes -Wpointer-arith
> -Wdeclaration-after-statement -Wendif-labels -fno-strict-aliasing -fwrapv
> pg_ctl.o -L../../../src/port -l pgport
> -L../../../src/interfaces/libpq -lpq -L../../../src/port
> -L/usr/local/ssl
> /fips/lib -L/usr/local/lib -Wl,--as-needed -Wl,-rpath,'/usr/local/pgsql/lib'
> -lpgport -lssl -lcrypto -lcrypt -ldl -lm -o pg_ctl
> ./pg_ctl: error while loading shared libraries: libpq.so.5: cannot open
> shared object file: No such file or directory
>
>
> Just as a FYI, I am running configure and make in the following manner:
>> ./configure --with-includes=/usr/local/ssl/fips/include:/usr/local/include
>> --with-libraries=/usr/local/ssl/fips/lib:/usr/local/lib --enable-shared
>> -with-openssl --without-readline --without-zlib
>
>> make CC=fipsld FIPSLD_CC=gcc
>
> Thanks for any help
>