On 05.10.23 22:55, Tom Lane wrote:
I found another bit of fun we'll need to deal with: on my F38
platform, pgcrypto/3des fails as attached. Some googling finds
this relevant info:
https://github.com/pyca/cryptography/issues/6875
That is, FIPS deprecation of 3DES is happening even as we speak.
So apparently we'll have little choice but to deal with two
different behaviors for that.
As before, I'm not too pleased with the user-friendliness
of the error:
+ERROR: encrypt error: Cipher cannot be initialized
That's even less useful to a user than "unsupported".
FWIW, everything else seems to pass with this patchset.
I ran check-world as well as the various "must run manually"
test suites.
I've been trying to get some VM set up with the right Red Hat
environment to be able to reproduce the issues you reported. But
somehow switching the OS into FIPS mode messes up the boot environment
of the VM or something. So I haven't been able to make progress on this.
I suggest that if there are no other concerns, we proceed with the patch
set as is for now.
The 3DES deprecation can be addressed by adding another expected file,
which can easily be supplied by someone having this environment running.
The error message difference in the older OpenSSL version would probably
need a small bit of coding. But we can leave that as a separate add-on
project.
