On 06/23/2017 10:51 PM, Tom Lane wrote: > Michael Paquier <michael.paqu...@gmail.com> writes: >> On Sat, Jun 24, 2017 at 12:56 PM, Curtis Ruck >> <curtis.ruck+pgsql.hack...@gmail.com> wrote: >>> If I clean this up some, maintain styleguide, what is the likely hood of >>> getting this included in the redhat packages, since redhat ships a certified >>> FIPS implementation? > >> So they are applying a custom patch to it already? > > Don't believe so. It's been a few years since I was at Red Hat, but > my recollection is that their approach was that it was a system-wide > configuration choice changing libc's behavior, and there were only very > minor fixes required to PG's behavior, all of which got propagated > upstream (see, eg, commit 01824385a). It sounds like Curtis is trying > to enable FIPS mode inside Postgres within a system where it isn't enabled > globally, which according to my recollection has basically nothing to do > with complying with the actual federal security standard.
Yes, see the PostgreSQL DISA STIG for a discussion with respect to that: https://www.crunchydata.com/postgres-stig/PGSQL-STIG-9.5+.pdf HTH, Joe -- Crunchy Data - http://crunchydata.com PostgreSQL Support for Secure Enterprises Consulting, Training, & Open Source Development
signature.asc
Description: OpenPGP digital signature