> On 21 Nov 2024, at 22:39, Joe Conway <m...@joeconway.com> wrote:
> I mean, perhaps I am misreading and/or interpreting all of that differently > to you, but from my reading of the entire thread there was clearly no > consensus to using openssl to provide those two functions. My interpretation (or perhaps, my opinion) is that it would be ideal to reimplement these functions using OpenSSL *if possible* but the cost/benefit ratio is probably tilted such that it will never happen. > [..] we don't drag this out past pg18 feature freeze Agreed. > If you have a better patch you would like to propose to fix this problem, > please do. I'm still not thrilled about having a transitive dependency GUC, so attached is a (very lightly tested POC) version of your patch which expands it from boolean to enum with on/off/fips; the fips value being "disable if openssl is in fips mode, else enable". I'm not sure if that's better, but at least it gives users a way to control the FIPS mode setting in one place and have crypto consumers follow the set value (or they can explicitly turn it off if they just want them disabled even without FIPS). -- Daniel Gustafsson
v2-0001-Make-it-possible-to-disable-built-in-crypto.patch
Description: Binary data
