Home > mailing lists

Re: Replace current implementations in crypt() and gen_salt() to OpenSSL - Mailing list pgsql-hackers

From	Tom Lane
Subject	Re: Replace current implementations in crypt() and gen_salt() to OpenSSL
Date	January 21 23:59:19
Msg-id	3435777.1737493159@sss.pgh.pa.us Whole thread Raw
In response to	Re: Replace current implementations in crypt() and gen_salt() to OpenSSL (Daniel Gustafsson <daniel@yesql.se>)
Responses	Re: Replace current implementations in crypt() and gen_salt() to OpenSSL Re: Replace current implementations in crypt() and gen_salt() to OpenSSL
List	pgsql-hackers

Tree view

Daniel Gustafsson <daniel@yesql.se> writes:
> It could indeed be useful, but I doubt we can make it portable to check for
> anything but the state of OpenSSL.  If the operating system has a FIPS mode
> then we won't capture that.  That might not be a problem since if the OS is in
> FIPS mode then OpenSSL most likely will be too but we can't guarantee it.

Not our problem, I think.  The OS vendor would have to have fallen
down on the job quite badly to offer an OS-level "FIPS mode" while
shipping an OpenSSL that doesn't honor that.  It would not be optional
for OpenSSL to be in that mode if the OS is.

(If we end up inventing a FIPS-mode flag, I would fully expect
interested vendors to patch our code to force it on when the
OS-level flag is set, which is exactly what they will have done
to OpenSSL.  We should design our behavior with that in mind.)

            regards, tom lane

pgsql-hackers by date:

From: Álvaro Herrera
Date: 21 January, 23:53:53
Subject: Re: pg_dump --no-comments confusion

From: Daniel Gustafsson
Date: 22 January, 00:05:09
Subject: Re: Replace current implementations in crypt() and gen_salt() to OpenSSL

Re: Replace current implementations in crypt() and gen_salt() to OpenSSL - Mailing list pgsql-hackers

Previous

Next