Re: Java client connection problem on FIPS enabled hosts (with password_encryption = scram-sha-256)

On Tue, Mar 22, 2022 at 03:58:49PM +0000, McDermott, Becky wrote:
> We have a requirement to run all of our applications on FIPS enabled hosts.
>
> We currently run postgres in a  container that is executing on a FIPS enabled host with the setting:
password_encryption= scram-sha-256 
>
> I am able to connect from one container to the postgres container/service using psql commands.  However, none of our
Javaclients can connect to the postgresql database.  If we run postgresql on a non-FIPS enabled host, everything works
fine.
>
> Our postgres/jdbc versions are 12.7/42.2.5

Is FIPS enabled on the host holding the PostgreSQL instance?  I am
afraid that you may run to run into problems in this case, in the
shape of a crash in the backend.

Internally, when compiled with OpenSSL, Postgres computes its set of
SHA-256 hashes with the low-level cryptohashes APIs called
SHA256_Init/Update/Final(), and these are known to blow up for most
versions of OpenSSL (1.0.2 with unpatched upstream, but some Linux
distributions patch 1.1.0, and it may still blow up with an exit() in
the middle of its stack in one of the OpenSSL .so libs).

Postgres 14 is able to work by going through the EVP layer for its
SHA-2 computations, instead.
--
Michael