Обсуждение: postgres-10 with FIPS
Hi Community,
In our org, we are using postgres-10 and was installed by adding the source to apt and downloading postgres on top of ubuntu (currently using ubuntu 20.04.1) . We wanted to go for FIPS compliance for which we need to use the FIPS compliant packages of all the libraries / packages we use.
In our org, we are using postgres-10 and was installed by adding the source to apt and downloading postgres on top of ubuntu (currently using ubuntu 20.04.1) . We wanted to go for FIPS compliance for which we need to use the FIPS compliant packages of all the libraries / packages we use.
Since postgres is linked against openssl we wanted to make sure we build postgres against the FIPS compliant openssl libraries. Does postgres provide a FIPS debian package that can be used. If not it would be of great help to help with the instructions to build the debian of postgres linked against the FIPS compliant openssl libraries.
Regards,
Aravindhan Krishnan...
On Thu, Dec 03, 2020 at 05:57:04PM +0530, Aravindhan Krishnan wrote: > Since postgres is linked against openssl we wanted to make sure we build > postgres against the FIPS compliant openssl libraries. Does postgres > provide a FIPS debian package that can be used. If not it would be of great > help to help with the instructions to build the debian of postgres linked > against the FIPS compliant openssl libraries. There is no need for Postgres to do anything specific with FIPS at runtime, as long as the OS takes care of enabling FIPS and that OpenSSL is able to recognize that. So normally, you could just use a version of Postgres compiled with OpenSSL 1.0.2, and replace the libraries of OpenSSL with a version that is compiled with FIPS enabled as the APIs of OpenSSL used by Postgres are exactly the same for the non-FIPS and FIPS cases. -- Michael
Вложения
Hi Michael,
Thanks for the quick response. I will try this out.
Thanks for the quick response. I will try this out.
Would it be possible to share the configure command used in building the standard postgres package. There are quite a lot of knobs and we wanted to retain the same behaviour from postgres. I am assuming apart from this, I might need to set the LDFLAGS, CFLAGS knob to point to include and lib directories of FIPS compliant openssl library and includes. Also we would like to build a debian package post the make -- would checkinstall be the right tool for this purpose ?
Thanks
Regards,
Aravindhan Krishnan...
On Fri, 4 Dec 2020 at 11:13, Michael Paquier <michael@paquier.xyz> wrote:
On Thu, Dec 03, 2020 at 05:57:04PM +0530, Aravindhan Krishnan wrote:
> Since postgres is linked against openssl we wanted to make sure we build
> postgres against the FIPS compliant openssl libraries. Does postgres
> provide a FIPS debian package that can be used. If not it would be of great
> help to help with the instructions to build the debian of postgres linked
> against the FIPS compliant openssl libraries.
There is no need for Postgres to do anything specific with FIPS at
runtime, as long as the OS takes care of enabling FIPS and that
OpenSSL is able to recognize that. So normally, you could just use a
version of Postgres compiled with OpenSSL 1.0.2, and replace the
libraries of OpenSSL with a version that is compiled with FIPS enabled
as the APIs of OpenSSL used by Postgres are exactly the same for the
non-FIPS and FIPS cases.
--
Michael
Hi Community,
Can someone help me on the above request ?
* Would it be possible to share the configure command used in building the standard postgres package ?
* We would like to build a debian package post the make -- would checkinstall be the right tool for this purpose ?
Can someone help me on the above request ?
* Would it be possible to share the configure command used in building the standard postgres package ?
* We would like to build a debian package post the make -- would checkinstall be the right tool for this purpose ?
Regards,
Aravindhan Krishnan...
On Fri, 4 Dec 2020 at 16:42, Aravindhan Krishnan <aravindhank11@gmail.com> wrote:
Hi Michael,
Thanks for the quick response. I will try this out.
Would it be possible to share the configure command used in building the standard postgres package. There are quite a lot of knobs and we wanted to retain the same behaviour from postgres. I am assuming apart from this, I might need to set the LDFLAGS, CFLAGS knob to point to include and lib directories of FIPS compliant openssl library and includes. Also we would like to build a debian package post the make -- would checkinstall be the right tool for this purpose ?
ThanksRegards,Aravindhan Krishnan...On Fri, 4 Dec 2020 at 11:13, Michael Paquier <michael@paquier.xyz> wrote:On Thu, Dec 03, 2020 at 05:57:04PM +0530, Aravindhan Krishnan wrote:
> Since postgres is linked against openssl we wanted to make sure we build
> postgres against the FIPS compliant openssl libraries. Does postgres
> provide a FIPS debian package that can be used. If not it would be of great
> help to help with the instructions to build the debian of postgres linked
> against the FIPS compliant openssl libraries.
There is no need for Postgres to do anything specific with FIPS at
runtime, as long as the OS takes care of enabling FIPS and that
OpenSSL is able to recognize that. So normally, you could just use a
version of Postgres compiled with OpenSSL 1.0.2, and replace the
libraries of OpenSSL with a version that is compiled with FIPS enabled
as the APIs of OpenSSL used by Postgres are exactly the same for the
non-FIPS and FIPS cases.
--
Michael
Aravindhan Krishnan <aravindhank11@gmail.com> writes:
> * Would it be possible to share the configure command used in building the
> standard postgres package ?
There is no "the standard" postgres package. There's a different one
for every major platform or distro, and in some cases more than one
available from different people. So really you'd have to go look at
the particular package you're using. If this is on any open-source
platform (you did mention debian) the package source files should be
readily available to look at, and that would tell you what configure
options were used.
An even more direct way is to run "pg_config" from the package and
see what it prints.
regards, tom lane
Hi Folks,
Thanks for the responses. Since the underlying knob flip is a paid version and we are a SaaS based service provider, this might not align well with our requirement and so wanted to build postgres-10 against FIPS compliant ssl/crypto. The "pg_config" is of of great help in order to understand the build time configure options.
Thank you.
Thanks for the responses. Since the underlying knob flip is a paid version and we are a SaaS based service provider, this might not align well with our requirement and so wanted to build postgres-10 against FIPS compliant ssl/crypto. The "pg_config" is of of great help in order to understand the build time configure options.
Thank you.
Regards,
Aravindhan Krishnan...
On Wed, 9 Dec 2020 at 00:23, Tom Lane <tgl@sss.pgh.pa.us> wrote:
Aravindhan Krishnan <aravindhank11@gmail.com> writes:
> * Would it be possible to share the configure command used in building the
> standard postgres package ?
There is no "the standard" postgres package. There's a different one
for every major platform or distro, and in some cases more than one
available from different people. So really you'd have to go look at
the particular package you're using. If this is on any open-source
platform (you did mention debian) the package source files should be
readily available to look at, and that would tell you what configure
options were used.
An even more direct way is to run "pg_config" from the package and
see what it prints.
regards, tom lane
On Wed, Dec 9, 2020 at 5:30 AM Aravindhan Krishnan <aravindhank11@gmail.com> wrote:
Hi Folks,
Thanks for the responses. Since the underlying knob flip is a paid version and we are a SaaS based service provider, this might not align well with our requirement and so wanted to build postgres-10 against FIPS compliant ssl/crypto. The "pg_config" is of of great help in order to understand the build time configure options.
Huh? There is *nothing* in PostgreSQL that is a paid version (there is no such thing, simply), nor in any of our open source packaging.
If you are specifically looking at the Debian or Ubuntu packages, you can find the full packaging information in the salsa repositories at https://salsa.debian.org/postgresql/postgresql. It will have all teh details you need.
Hi Magnus,
The paid version I had mentioned about was the paid OS (ubuntu) for FIPS compliancy. I understand that postgres as is completely available for open-source.
Since we can't get the paid version of the OS to support FIPS compliancy the idea was to build postgres against FIPS compliant SSL/crypto of 1.0.2g and get it to work on ubuntu 20.04 for which I was interested in the configure option.
Thanks and Regards
Aravindhan K
On Wed, 9 Dec, 2020, 3:07 pm Magnus Hagander, <magnus@hagander.net> wrote:
--On Wed, Dec 9, 2020 at 5:30 AM Aravindhan Krishnan <aravindhank11@gmail.com> wrote:Hi Folks,
Thanks for the responses. Since the underlying knob flip is a paid version and we are a SaaS based service provider, this might not align well with our requirement and so wanted to build postgres-10 against FIPS compliant ssl/crypto. The "pg_config" is of of great help in order to understand the build time configure options.Huh? There is *nothing* in PostgreSQL that is a paid version (there is no such thing, simply), nor in any of our open source packaging.If you are specifically looking at the Debian or Ubuntu packages, you can find the full packaging information in the salsa repositories at https://salsa.debian.org/postgresql/postgresql. It will have all teh details you need.
On 12/9/20 4:51 AM, Aravindhan Krishnan wrote: > The paid version I had mentioned about was the paid OS (ubuntu) for FIPS > compliancy. I understand that postgres as is completely available for open-source. > > Since we can't get the paid version of the OS to support FIPS compliancy the > idea was to build postgres against FIPS compliant SSL/crypto of 1.0.2g and get > it to work on ubuntu 20.04 for which I was interested in the configure option. Actual FIPS compliance is held by the distributor of the SSL library you use. While you can, for example, configure a CentOS 7 system to be in "FIPS mode", it is still not "FIPS compliant" if you didn't get the bits (the SSL library itself) from Red Hat (which you did not if you are running CentOS). The situation is the same with Ubuntu, except as far as I am aware you cannot even get your hands on the SSL library for "FIPS mode" from Ubuntu unless you pay them, unlike CentOS. So no matter what you do with Postgres itself, you will not be FIPS compliant without paying RHEL/Ubuntu/SUSE or getting your stack certified yourself (which is not likely something you will want to do and would cost you more anyway). HTH, Joe -- Crunchy Data - http://crunchydata.com PostgreSQL Support for Secure Enterprises Consulting, Training, & Open Source Development