On 05.10.23 22:55, Tom Lane wrote:
> I found another bit of fun we'll need to deal with: on my F38
> platform, pgcrypto/3des fails as attached. Some googling finds
> this relevant info:
>
> https://github.com/pyca/cryptography/issues/6875
>
> That is, FIPS deprecation of 3DES is happening even as we speak.
> So apparently we'll have little choice but to deal with two
> different behaviors for that.
>
> As before, I'm not too pleased with the user-friendliness
> of the error:
>
> +ERROR: encrypt error: Cipher cannot be initialized
>
> That's even less useful to a user than "unsupported".
>
> FWIW, everything else seems to pass with this patchset.
> I ran check-world as well as the various "must run manually"
> test suites.
I've been trying to get some VM set up with the right Red Hat
environment to be able to reproduce the issues you reported. But
somehow switching the OS into FIPS mode messes up the boot environment
of the VM or something. So I haven't been able to make progress on this.
I suggest that if there are no other concerns, we proceed with the patch
set as is for now.
The 3DES deprecation can be addressed by adding another expected file,
which can easily be supplied by someone having this environment running.
The error message difference in the older OpenSSL version would probably
need a small bit of coding. But we can leave that as a separate add-on
project.