To utilize openssl FIPS, you have to explicitly enable it, per the FIPS
user guide:

So, my target would be redhat/centos where openssl FIPS is
certified/available, and then add a configuration parameter to enable it
(much like Apache HTTPD's SSLFIPS directive:

On Sat, Jun 24, 2017 at 1:51 AM Tom Lane <> wrote:

> Michael Paquier <> writes:
> > On Sat, Jun 24, 2017 at 12:56 PM, Curtis Ruck
> > <> wrote:
> >> If I clean this up some, maintain styleguide, what is the likely hood of
> >> getting this included in the redhat packages, since redhat ships a
> certified
> >> FIPS implementation?
> > So they are applying a custom patch to it already?
> Don't believe so.  It's been a few years since I was at Red Hat, but
> my recollection is that their approach was that it was a system-wide
> configuration choice changing libc's behavior, and there were only very
> minor fixes required to PG's behavior, all of which got propagated
> upstream (see, eg, commit 01824385a).  It sounds like Curtis is trying
> to enable FIPS mode inside Postgres within a system where it isn't enabled
> globally, which according to my recollection has basically nothing to do
> with complying with the actual federal security standard.
>                         regards, tom lane

Reply via email to