On Mon, Sep 17, 2018 at 02:55:55PM +, Alessandro Gherardi wrote:
> Therefore, I believe the best option, at least for now, is calling
> FIPS_mode_set(1) in the application.
I am not so sure about that. As you rightly mention, CentOS and RedHat
patch OpenSSL to allow FIPS to work. Per my res
Here's a patch for enabling FIPS in OpenSSL - by calling FIPS_mode_set(1) - on
Windows if the FIPS registry entry
HKLM\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\Enabled is set to
1. That's the entry that the .NET crypto libraries look at to decide whether or
not to operate in FI
On Wed, Sep 12, 2018 at 07:24:24AM +0900, Michael Paquier wrote:
> Good point. Such things have bitten in the past. Okay, then let's do
> something about sha2_openssl.c only on HEAD for now then, which I am
> fine to finish wrapping.
I was looking at trying to commit this patch, however more nee
On Tue, Sep 11, 2018 at 04:32:27PM +0200, Peter Eisentraut wrote:
> I recommend letting this bake in the master branch for a while. There
> are a lot weirdly patched and alternative OpenSSL versions out there
> that defy any documentation.
Good point. Such things have bitten in the past. Okay,
On 11/09/2018 05:02, Michael Paquier wrote:
> Hence, intrinsically, we are in contradiction with the upstream docs. I
> have worked on the problem with the patch, which works down to OpenSSL
> 0.9.8, and should fix your issue. This is based on what you sent
> previously, except that I was not abl
On Tue, Sep 11, 2018 at 12:02:50PM +0900, Michael Paquier wrote:
> Hence, intrinsically, we are in contradiction with the upstream docs. I
> have worked on the problem with the patch, which works down to OpenSSL
> 0.9.8, and should fix your issue. This is based on what you sent
> previously, exce
On Mon, Sep 10, 2018 at 02:52:00PM +, Alessandro Gherardi wrote:
> I changed the implementation of the other SHA digests to use EVP
> also. I verified that, with these changes, scram-sha-256 works when
> FIPS is enabled.
Hm... I have spent a couple of hours setting up a CentOS 7 VM with FIPS
I changed the implementation of the other SHA digests to use EVP also.
I verified that, with these changes, scram-sha-256 works when FIPS is enabled.
sha2.h.diff
Description: Binary data
sha2_openssl.c.diff
Description: Binary data
Hi Michael,
I'm attaching the output of diff .
> If we could prove that sha2-openssl.c is actually
unreliable even if FIPS is enabled system-wide with either SCRAM
authentication or any of the other hashing functions, then I would be
ready to accept a patch. Now, as far as I can see and heard f
On Wed, Sep 05, 2018 at 01:19:39PM +, Alessandro Gherardi wrote:
> Hi Michael,I'm actually running postgres on Windows.
First you may want to avoid top-posting. This is not the style of the
community lists and this breaks the logic of a thread.
> I added code to fe-secure-openssl.c and be-se
Hi Michael,I'm actually running postgres on Windows.
I added code to fe-secure-openssl.c and be-secure-openssl.c that reads the
Windows "standard" FIPS registry entry, and if FIPS is enabled calls
FIPS_mode_set(1). This is to mimic to behavior of the .NET framework.
Below is the code I added to f
On Wed, Sep 05, 2018 at 03:29:31AM +, Alessandro Gherardi wrote:
> It looks like scram-sha-256 doesn't work when postgres is linked
> against FIPS-enabled OpenSSL and FIPS mode is turned on.
>
> Specifically, all login attempts fail with an OpenSSL error saying
> something along the lines of "
It looks like scram-sha-256 doesn't work when postgres is linked against
FIPS-enabled OpenSSL and FIPS mode is turned on.
Specifically, all login attempts fail with an OpenSSL error saying something
along the lines of "Low level API call to digest SHA256 forbidden in fips mode".
I think this iss
13 matches
Mail list logo
