Обсуждение: Is PG CE is FIPS Aware?
Hi Experts,
How to determine whether PG installed in a server is FIPS aware or not(FIPS 140-2 compliant)? We are doing RPM based installation.
How to determine whether PG installed in a server is FIPS aware or not(FIPS 140-2 compliant)? We are doing RPM based installation.
OS Version : RHEL 7.X
PG version : 13.5 CE.
Regards,
Pramod
pramod kg <pramod11287@gmail.com> writes:
> How to determine whether PG installed in a server is FIPS aware or not(FIPS
> 140-2 compliant)? We are doing RPM based installation.
If "SELECT md5('foo')" fails, then FIPS restrictions are active.
regards, tom lane
Thanks Tom for your quick response.
I executed query. Got output.
postgres=# SELECT md5('foo');
md5
----------------------------------
acbd18db4cc2f85cedef654fccc4a4d8
(1 row)
md5
----------------------------------
acbd18db4cc2f85cedef654fccc4a4d8
(1 row)
Do we have official documentation or any blogs which guides us to make PG installation FIPS Compliant? Also, is it achievable via RPM based installation? Or do we need to compile libraries?
On Thu, Jan 27, 2022 at 11:02 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
pramod kg <pramod11287@gmail.com> writes:
> How to determine whether PG installed in a server is FIPS aware or not(FIPS
> 140-2 compliant)? We are doing RPM based installation.
If "SELECT md5('foo')" fails, then FIPS restrictions are active.
regards, tom lane
https://www.stigviewer.com/stig/postgresql_9.x/
Regards,
Imran Haider
Imran Haider
On 27 Jan 2022, 11:18 +0530, pramod kg <pramod11287@gmail.com>, wrote:
Thanks Tom for your quick response.
I executed query. Got output.
postgres=# SELECT md5('foo');
md5
----------------------------------
acbd18db4cc2f85cedef654fccc4a4d8
(1 row)
Do we have official documentation or any blogs which guides us to make PG installation FIPS Compliant? Also, is it achievable via RPM based installation? Or do we need to compile libraries?
On Thu, Jan 27, 2022 at 11:02 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:pramod kg <pramod11287@gmail.com> writes:
> How to determine whether PG installed in a server is FIPS aware or not(FIPS
> 140-2 compliant)? We are doing RPM based installation.
If "SELECT md5('foo')" fails, then FIPS restrictions are active.
regards, tom lane
pramod kg <pramod11287@gmail.com> writes:
> I executed query. Got output.
> postgres=# SELECT md5('foo');
> md5
> ----------------------------------
> acbd18db4cc2f85cedef654fccc4a4d8
> (1 row)
Oh, my mistake --- that only applies in v14 and later, before
that md5() always uses a built-in implementation.
See the STIG that Imram mentioned.
regards, tom lane
On 1/27/22 12:23 AM, pramod kg wrote:
> How to determine whether PG installed in a server is FIPS aware or
> not(FIPS 140-2 compliant)? We are doing RPM based installation.
On 1/27/22 1:15 AM, Tom Lane wrote:
> pramod kg <pramod11287@gmail.com> writes:
>> I executed query. Got output.
>
>> postgres=# SELECT md5('foo');
>> md5
>> ----------------------------------
>> acbd18db4cc2f85cedef654fccc4a4d8
>> (1 row)
>
> Oh, my mistake --- that only applies in v14 and later, before
> that md5() always uses a built-in implementation.
>
> See the STIG that Imram mentioned.
Ensuring you are actually "FIPS 140-2 compliant" is much more complex
than most people imagine.
See:
https://blog.crunchydata.com/blog/postgres-and-crypto-supply-chain-of-integrity
Also, see the tip of the master branch of pgnodemx:
https://github.com/CrunchyData/pgnodemx
8<-----------------------
-- this will be in next release
-- i.e. pgnodemx v1.0.6
select openssl_version();
openssl_version
----------------------------------
OpenSSL 1.1.1k FIPS 25 Mar 2021
(1 row)
-- these are already in pgnodemx v1.0.5
select openssl_version();
openssl_version
----------------------------------
OpenSSL 1.1.1k FIPS 25 Mar 2021
(1 row)
select symbol_filename('FIPS_mode');
symbol_filename
--------------------------------
/usr/lib64/libcrypto.so.1.1.1k
(1 row)
nmx=# select fips_mode();
fips_mode
-----------
f
(1 row)
8<-----------------------
I expect pgnodemx v1.0.6 will be release very soon.
HTH,
Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development