On 10/01/2018 11:44 AM, Bradley May wrote:
> I understand the PostgreSQL 9.x installed on a RHEL distribution can
> be configured and supports FIPS 140-2 when using and properly
> configuring OpenSSL FIPS. My question is can the same be accomplished
> with a Windows installation, as easily or similar to the RHEL
> installation/configuration procedures?
>
> Apologies for such an abstract questions, but I remember reading
> somewhere that PostgreSQL 9.x when installed on Windows does not
> support FIPS 140-2 without installing a more commercial product that
> has performed the additional compilation requirements.
As I understand it, FIPS 140-2 support is both "mechanical" (as in your
application will use only FIPS 140-2 approved algorithms and openssl
will be in "FIPS mode" if asked) as well as "compliance" (as in using
software that is actually certified to be FIPS 140-2 compliant).
While without a support subscription you can get "mechanical" FIPS 140-2
support with properly patched OpenSSL library (e.g. using CentOS
configured for FIPS 140-2 system-wide), you will not have FIPS 140-2
"compliance" unless you pay for support from a company that maintains
the certification (e.g. Red Hat, Ubuntu, or SUSE).
The challenge on Windows is to find an SSL library that:
1. Works with Postgres (i.e. openssl or something compatible)
2. Enables Postgres to have mechanical compliance (i.e. works
system wide in a way that is transparent to Postgres)
3. Is backed by a company that has FIPS 140-2 certification for it
The only one that I have run across that appears to meet all three of
these on Windows is wolfSSL:
https://www.wolfssl.com/products/wolfssl/
Note that I have no affiliation with them, nor have I actually tried the
product. It claims to have an "OpenSSL Compatibility Layer", so perhaps
it might work for you. If you try it, I'd love to hear back how it goes :-)
HTH,
Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development