-
Obtain the OpenSSL FIPS module 2.0 source from the OpenSSL source download page
wget https://www.openssl.org/source/openssl-fips-2.0.13.tar.gz tar -zxvf openssl-fips-2.0.13.tar.gz cd openssl-fips-2.0.13.tar.gz
-
Configure and build
./config make
-
Install it
sudo make install
This will install the FIPS module to /usr/local/ssl/fips-2.0
by default.
-
Obtain the OpenSSL source from the OpenSSL source download page.
wget https://www.openssl.org/source/openssl-1.0.2j.tar.gz tar -zxvf openssl-1.0.2j.tar.gz cd openssl-1.0.2j
IMPORTANT: The most recent version of OpenSSL that supports the FIPS module is 1.0.2. Trying to use a more recent version will fail when building!
-
Decompress, configure to use FIPS, and build
./config fips shared make depend make all
-
Install it
sudo make install
-
Obtain the PostgreSQL source from the Postgres source download page.
wget https://ftp.postgresql.org/pub/source/v9.6.1/postgresql-9.6.1.tar.gz tar -zxvf postgresql-9.6.1.tar.gz cd postgresql-9.6.1
-
Modify the PostgreSQL source code to enable FIPS
-
Find the files that need to be modified. Every file returned by this command will need to be edited. There are typically only two.
grep -R SSL_library_init *
-
Open each file with a text editor (e.g., vi or emacs)
-
-
Configure to point to FIPS library and build
-
Install it
Hello Walker,
I am trying to make Postgres FIPS enabled. I have followed the steps you mentioned above. My question is : How you do point the Output files to point to FIPS library? Presently i have two files. 1) src/backend/libpq/be-secure-openssl.c 2) src/interfaces/libpq/fe-secure-openssl.c
Could you help me the place where we modify the code & what needs to be added?