On 11/22/24 09:11, Daniel Gustafsson wrote:
On 21 Nov 2024, at 22:39, Joe Conway <m...@joeconway.com> wrote:
I mean, perhaps I am misreading and/or interpreting all of that differently to
you, but from my reading of the entire thread there was clearly no consensus to
using openssl to provide those two functions.
My interpretation (or perhaps, my opinion) is that it would be ideal to
reimplement these functions using OpenSSL *if possible* but the cost/benefit
ratio is probably tilted such that it will never happen.
[..] we don't drag this out past pg18 feature freeze
Agreed.
If you have a better patch you would like to propose to fix this problem,
please do.
I'm still not thrilled about having a transitive dependency GUC, so attached is
a (very lightly tested POC) version of your patch which expands it from boolean
to enum with on/off/fips; the fips value being "disable if openssl is in fips
mode, else enable". I'm not sure if that's better, but at least it gives users
a way to control the FIPS mode setting in one place and have crypto consumers
follow the set value (or they can explicitly turn it off if they just want them
disabled even without FIPS).
Works for me.
I do wonder if the GUC should be PGC_POSTMASTER (as I had suggested it
ought to be in an earlier post) rather than PGC_SUSET (which was the way
my posted patch had it). But perhaps PGC_SUSET is sufficient, and it
makes testing easier.
One other question this spawned -- do we document the minimum supported
version of OpenSSL anywhere? I remembered it had recently been
increased, but could only find confirmation in the git logs that 1.1.1
was now the minimum.
--
Joe Conway
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com
