Daniel Gustafsson <[email protected]> writes:
> When testing before pushing I ran the ssl tests, but my colleague Nazir Bilal
> Yavuz found that two additional test suites need FIPS adjustment. I will
> apply
> the attached shortly to fix those as well. Sorry for missing these when
> testing.
I think this is whack-a-mole. What I was thinking of proposing
was to conditionally alter the wired-in default, along the lines
of
#ifdef USE_SSL
+#ifdef PG_FIPS_COMPLIANT
+#define DEFAULT_SSL_GROUPS "prime256v1"
+#else
#define DEFAULT_SSL_GROUPS "X25519:prime256v1"
+#endif
#else
#define DEFAULT_SSL_GROUPS "none"
#endif
and then people wanting to test on FIPS platforms could just add
-DPG_FIPS_COMPLIANT to their build recipes.
regards, tom lane
