On Mon, Sep 22, 2014 at 9:42 AM, Albe Laurenz <laurenz.albe@wien.gv.at> wrote:
> Anthony Burden wrote:
>> validate some software with you to
>> ensure that all our installed PostgreSQL software meets SHA-256 compliance.
>> There is basically two things we are looking for:
>>
>> 1) Identify all COTS software purchased as part of scheduled and budgeted
>> technology refreshes and upgrades must be SHA-256 compliant.
>>
>> 2) All DOD information systems that have been upgraded or are upgrading to
>> support SHA-256 compliance must continue to maintain backwards compatibility
>> with DOD's current SHA-1 credentials.
>>
>> All the software we are using are:
>> PostgreSQL 8.2 8.2
>>
>> Can you confirm that your software is SHA-256 Compliant?
>
> If you mean whether a SSL database connection can use SHA-256 or not,
> that depends on the OpenSSL library your PostgreSQL uses.
> If your OpenSSL version supports SHA-256, so does PostgreSQL.
Well, it may be more than that depending on what 'SHA-256 compliance'
means. Postgres still uses md5 for password authentication. This has
a significant downside: it requires endlessly explaining the actual
danger to those who are security experts but don't know the difference
between collision and preimage resistance.
For everything but password auth postgres depends on SSL and is configurable.
merlin