Thread: Postgre SQL SHA-256 Compliance
validate some software with you to ensure that all our installed PostgreSQL software meets SHA-256 compliance. There is basically two things we are looking for: 1) Identify all COTS software purchased as part of scheduled and budgeted technology refreshes and upgrades must be SHA-256 compliant. 2) All DOD information systems that have been upgraded or are upgrading to support SHA-256 compliance must continue to maintain backwards compatibility with DOD's current SHA-1 credentials. All the software we are using are: PostgreSQL 8.2 8.2 Can you confirm that your software is SHA-256 Compliant? -- View this message in context: http://postgresql.1045698.n5.nabble.com/Postgre-SQL-SHA-256-Compliance-tp5819917.html Sent from the PostgreSQL - general mailing list archive at Nabble.com.
On 09/22/2014 07:24 AM, Anthony Burden wrote: > validate some software with you to > ensure that all our installed PostgreSQL software meets SHA-256 compliance. > There is basically two things we are looking for: > > 1) Identify all COTS software purchased as part of scheduled and budgeted > technology refreshes and upgrades must be SHA-256 compliant. > > 2) All DOD information systems that have been upgraded or are upgrading to > support SHA-256 compliance must continue to maintain backwards compatibility > with DOD's current SHA-1 credentials. > > All the software we are using are: > PostgreSQL 8.2 8.2 First the oldest supported release is 9.0, currently at 9.0.18 > > Can you confirm that your software is SHA-256 Compliant? Second what does the above mean? I found this: http://www.acq.osd.mil/dpap/ops/docs/Public%20Briefing%20-%20DoD%20SHA-256%20Migration%2018%20Mar%202011.pdf but my eyes quickly glazed over:) So a synopsis would be helpful. -- Adrian Klaver adrian.klaver@aklaver.com
Anthony Burden wrote: > validate some software with you to > ensure that all our installed PostgreSQL software meets SHA-256 compliance. > There is basically two things we are looking for: > > 1) Identify all COTS software purchased as part of scheduled and budgeted > technology refreshes and upgrades must be SHA-256 compliant. > > 2) All DOD information systems that have been upgraded or are upgrading to > support SHA-256 compliance must continue to maintain backwards compatibility > with DOD's current SHA-1 credentials. > > All the software we are using are: > PostgreSQL 8.2 8.2 > > Can you confirm that your software is SHA-256 Compliant? If you mean whether a SSL database connection can use SHA-256 or not, that depends on the OpenSSL library your PostgreSQL uses. If your OpenSSL version supports SHA-256, so does PostgreSQL. Yours, Laurenz Albe
>> Can you confirm that your software is SHA-256 Compliant? Postgres's SSL certificate & key live at the value of ssl_cert_file and ssl_key_file in your postgresql.conf. Why not point it at a SHA-256 certificate, restart, and try it out? Paul -- _________________________________ Pulchritudo splendor veritatis.
On Sep 22, 2014, at 9:46 AM, Paul Jungwirth <pj@illuminatedcomputing.com> wrote: >>> Can you confirm that your software is SHA-256 Compliant? > > Postgres's SSL certificate & key live at the value of ssl_cert_file > and ssl_key_file in your postgresql.conf. Why not point it at a > SHA-256 certificate, restart, and try it out? > Unfortunately, that is not the way the government usually works. The person requesting the info may not even have accessto the system or know how to use the system. This is especially true if the system is classified at any level.
On Mon, Sep 22, 2014 at 9:42 AM, Albe Laurenz <laurenz.albe@wien.gv.at> wrote: > Anthony Burden wrote: >> validate some software with you to >> ensure that all our installed PostgreSQL software meets SHA-256 compliance. >> There is basically two things we are looking for: >> >> 1) Identify all COTS software purchased as part of scheduled and budgeted >> technology refreshes and upgrades must be SHA-256 compliant. >> >> 2) All DOD information systems that have been upgraded or are upgrading to >> support SHA-256 compliance must continue to maintain backwards compatibility >> with DOD's current SHA-1 credentials. >> >> All the software we are using are: >> PostgreSQL 8.2 8.2 >> >> Can you confirm that your software is SHA-256 Compliant? > > If you mean whether a SSL database connection can use SHA-256 or not, > that depends on the OpenSSL library your PostgreSQL uses. > If your OpenSSL version supports SHA-256, so does PostgreSQL. Well, it may be more than that depending on what 'SHA-256 compliance' means. Postgres still uses md5 for password authentication. This has a significant downside: it requires endlessly explaining the actual danger to those who are security experts but don't know the difference between collision and preimage resistance. For everything but password auth postgres depends on SSL and is configurable. merlin
Anthony, * Anthony Burden (anthony.d.burden.ctr@mail.mil) wrote: > validate some software with you to > ensure that all our installed PostgreSQL software meets SHA-256 compliance. > There is basically two things we are looking for: > > 1) Identify all COTS software purchased as part of scheduled and budgeted > technology refreshes and upgrades must be SHA-256 compliant. > > 2) All DOD information systems that have been upgraded or are upgrading to > support SHA-256 compliance must continue to maintain backwards compatibility > with DOD's current SHA-1 credentials. > > All the software we are using are: > PostgreSQL 8.2 8.2 PostgreSQL is now at version 9.3, with 9.0 being the oldest version which is supported by PGDG (the PostgreSQL Global Development Group- aka the PostgreSQL community). Support for older versions may be available from PostgreSQL support vendors- a list of vendors in North America is available here: http://www.postgresql.org/support/professional_support/northamerica/ > Can you confirm that your software is SHA-256 Compliant? As mentioned elsewhere on the thread, if this question is about SHA-256 support in OpenSSL, you would need to check the OpenSSL library on your system. If the operating system you're running PostgreSQL on is as old as the version of PostgreSQL you're running then I would be quite worried that it does not support SHA-256. Generally, I'd recommend you look to upgrade to a version of your OS which includes a version of PostgreSQL which is currently considered supported by the PGDG (eg: Red Hat Enterprise Linux 7 includes PostgreSQL 9.2) and verify that the OpenSSL also supports SHA-256 (RHEL7 does). Thanks! Stephen
Attachment
On Mon, Sep 22, 2014 at 10:15:36AM -0500, Neil Tiffin wrote: > >>> Can you confirm that your software is SHA-256 Compliant? > > > > Postgres's SSL certificate & key live at the value of ssl_cert_file > > and ssl_key_file in your postgresql.conf. Why not point it at a > > SHA-256 certificate, restart, and try it out? > > > Unfortunately, that is not the way the government usually > works. The person requesting the info may not even have > access to the system or know how to use the system. This is > especially true if the system is classified at any level. There is no need for access because the exact version is known. Install a local PG 8.2, at home, on your laptop, and check. Karsten -- GPG key ID E4071346 @ gpg-keyserver.de E167 67FD A291 2BEA 73BD 4537 78B9 A9F9 E407 1346