Re: Allow tests to pass in OpenSSL FIPS mode
| От | Tom Lane |
|---|---|
| Тема | Re: Allow tests to pass in OpenSSL FIPS mode |
| Дата | |
| Msg-id | 443709.1757876535@sss.pgh.pa.us обсуждение исходный текст |
| Ответ на | Re: Allow tests to pass in OpenSSL FIPS mode (Tom Lane <tgl@sss.pgh.pa.us>) |
| Список | pgsql-hackers |
[ blast-from-the-past department ]
I wrote:
> Peter Eisentraut <peter@eisentraut.org> writes:
>> I suggest that if there are no other concerns, we proceed with the patch
>> set as is for now.
> After thinking about it for awhile, I guess I'm okay with only
> bothering to provide expected-files for FIPS failures under OpenSSL
> 3.x (which is how your patch is set up, I believe). While there are
> certainly still LTS platforms with 1.x, we don't have to consider FIPS
> mode on them to be a supported case.
I see that Mark W. has just spun up a couple of BF animals running
FIPS mode under SLES 15 (goshawk and shoebill). Not too surprisingly,
they are failing the MD5 test:
select md5('') = 'd41d8cd98f00b204e9800998ecf8427e' AS "TRUE";
-ERROR: could not compute MD5 hash: unsupported
+ERROR: could not compute MD5 hash: disabled for FIPS
select md5('a') = '0cc175b9c0f1b6a831c399e269772661' AS "TRUE";
-ERROR: could not compute MD5 hash: unsupported
+ERROR: could not compute MD5 hash: disabled for FIPS
(etc etc)
Should we revisit the decision to not support this spelling
of the error message? SLES 15 has got another decade or so
of support according to wikipedia [1], so it's hard to call it
a dead platform.
It looks like it'd be easy enough to generate the required
alternate expected-file, just s/unsupported/disabled for FIPS/g.
Happy to take care of this if there are not objections.
regards, tom lane
[1] https://en.wikipedia.org/wiki/SUSE_Linux_Enterprise#End-of-support_schedule
В списке pgsql-hackers по дате отправления: