postgres-10 with FIPS

On Thu, Dec 03, 2020 at 05:57:04PM +0530, Aravindhan Krishnan wrote:

Since postgres is linked against openssl we wanted to make sure we build
postgres against the FIPS compliant openssl libraries. Does postgres
provide a FIPS debian package that can be used. If not it would be of great
help to help with the instructions to build the debian of postgres linked
against the FIPS compliant openssl libraries.

There is no need for Postgres to do anything specific with FIPS at
runtime, as long as the OS takes care of enabling FIPS and that
OpenSSL is able to recognize that. So normally, you could just use a
version of Postgres compiled with OpenSSL 1.0.2, and replace the
libraries of OpenSSL with a version that is compiled with FIPS enabled
as the APIs of OpenSSL used by Postgres are exactly the same for the
non-FIPS and FIPS cases.
--
Michael

Hi Michael,

Thanks for the quick response. I will try this out.

Would it be possible to share the configure command used in building the
standard postgres package. There are quite a lot of knobs and we wanted to
retain the same behaviour from postgres. I am assuming apart from this, I
might need to set the LDFLAGS, CFLAGS knob to point to include and lib
directories of FIPS compliant openssl library and includes. Also we would
like to build a debian package post the make -- would checkinstall be the
right tool for this purpose ?

Thanks

Regards,
Aravindhan Krishnan...

On Fri, 4 Dec 2020 at 11:13, Michael Paquier <michael@paquier.xyz> wrote:

Hi Community,

Can someone help me on the above request ?

* Would it be possible to share the configure command used in building the
standard postgres package ?
* We would like to build a debian package post the make -- would
checkinstall be the right tool for this purpose ?

Regards,
Aravindhan Krishnan...

On Fri, 4 Dec 2020 at 16:42, Aravindhan Krishnan <aravindhank11@gmail.com>
wrote:

Aravindhan Krishnan <aravindhank11@gmail.com> writes:

* Would it be possible to share the configure command used in building the
standard postgres package ?

There is no "the standard" postgres package. There's a different one
for every major platform or distro, and in some cases more than one
available from different people. So really you'd have to go look at
the particular package you're using. If this is on any open-source
platform (you did mention debian) the package source files should be
readily available to look at, and that would tell you what configure
options were used.

An even more direct way is to run "pg_config" from the package and
see what it prints.

regards, tom lane

Hi Folks,

Thanks for the responses. Since the underlying knob flip is a paid version
and we are a SaaS based service provider, this might not align well with
our requirement and so wanted to build postgres-10 against FIPS compliant
ssl/crypto. The "pg_config" is of of great help in order to understand the
build time configure options.

Thank you.

Regards,
Aravindhan Krishnan...

On Wed, 9 Dec 2020 at 00:23, Tom Lane <tgl@sss.pgh.pa.us> wrote:

On Wed, Dec 9, 2020 at 5:30 AM Aravindhan Krishnan <aravindhank11@gmail.com>
wrote:

Hi Folks,

Thanks for the responses. Since the underlying knob flip is a paid version
and we are a SaaS based service provider, this might not align well with
our requirement and so wanted to build postgres-10 against FIPS compliant
ssl/crypto. The "pg_config" is of of great help in order to understand the
build time configure options.

Huh? There is *nothing* in PostgreSQL that is a paid version (there is no
such thing, simply), nor in any of our open source packaging.

If you are specifically looking at the Debian or Ubuntu packages, you can
find the full packaging information in the salsa repositories at
https://salsa.debian.org/postgresql/postgresql. It will have all teh
details you need.

--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/&gt;
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/&gt;

Hi Magnus,

The paid version I had mentioned about was the paid OS (ubuntu) for FIPS
compliancy. I understand that postgres as is completely available for
open-source.

Since we can't get the paid version of the OS to support FIPS compliancy
the idea was to build postgres against FIPS compliant SSL/crypto of 1.0.2g
and get it to work on ubuntu 20.04 for which I was interested in the
configure option.

Thanks and Regards
Aravindhan K

On Wed, 9 Dec, 2020, 3:07 pm Magnus Hagander, <magnus@hagander.net> wrote:

On 12/9/20 4:51 AM, Aravindhan Krishnan wrote:

The paid version I had mentioned about was the paid OS (ubuntu) for FIPS
compliancy. I understand that postgres as is completely available for open-source.

Since we can't get the paid version of the OS to support FIPS compliancy the
idea was to build postgres against FIPS compliant SSL/crypto of 1.0.2g and get
it to work on ubuntu 20.04 for which I was interested in the configure option.

Actual FIPS compliance is held by the distributor of the SSL library you use.

While you can, for example, configure a CentOS 7 system to be in "FIPS mode", it
is still not "FIPS compliant" if you didn't get the bits (the SSL library
itself) from Red Hat (which you did not if you are running CentOS).

The situation is the same with Ubuntu, except as far as I am aware you cannot
even get your hands on the SSL library for "FIPS mode" from Ubuntu unless you
pay them, unlike CentOS.

So no matter what you do with Postgres itself, you will not be FIPS compliant
without paying RHEL/Ubuntu/SUSE or getting your stack certified yourself (which
is not likely something you will want to do and would cost you more anyway).

HTH,

Joe

--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development