public inbox for [email protected]
help / color / mirror / Atom feedFrom: Tom Lane <[email protected]>
To: Peter Eisentraut <[email protected]>
Cc: pgsql-hackers <[email protected]>
Cc: [email protected]
Subject: Re: Allow tests to pass in OpenSSL FIPS mode
Date: Sun, 14 Sep 2025 15:02:15 -0400
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
[ blast-from-the-past department ]
I wrote:
> Peter Eisentraut <[email protected]> writes:
>> I suggest that if there are no other concerns, we proceed with the patch
>> set as is for now.
> After thinking about it for awhile, I guess I'm okay with only
> bothering to provide expected-files for FIPS failures under OpenSSL
> 3.x (which is how your patch is set up, I believe). While there are
> certainly still LTS platforms with 1.x, we don't have to consider FIPS
> mode on them to be a supported case.
I see that Mark W. has just spun up a couple of BF animals running
FIPS mode under SLES 15 (goshawk and shoebill). Not too surprisingly,
they are failing the MD5 test:
select md5('') = 'd41d8cd98f00b204e9800998ecf8427e' AS "TRUE";
-ERROR: could not compute MD5 hash: unsupported
+ERROR: could not compute MD5 hash: disabled for FIPS
select md5('a') = '0cc175b9c0f1b6a831c399e269772661' AS "TRUE";
-ERROR: could not compute MD5 hash: unsupported
+ERROR: could not compute MD5 hash: disabled for FIPS
(etc etc)
Should we revisit the decision to not support this spelling
of the error message? SLES 15 has got another decade or so
of support according to wikipedia [1], so it's hard to call it
a dead platform.
It looks like it'd be easy enough to generate the required
alternate expected-file, just s/unsupported/disabled for FIPS/g.
Happy to take care of this if there are not objections.
regards, tom lane
[1] https://en.wikipedia.org/wiki/SUSE_Linux_Enterprise#End-of-support_schedule
view thread (19+ messages)
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: Allow tests to pass in OpenSSL FIPS mode
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox