[pgpool-general: 7430] Re: Pgpool works on FIPS mode of VA - very important
Tatsuo Ishii
ishii at sraoss.co.jp
Tue Mar 9 11:11:13 JST 2021
> Hi Pgpool team,
>
> We have made our hosts FIPS compliant and using pgpool for clustering. How
> to make pgpool libraries as well, FIPS compliant?
I am not familiar with FIPS. Correct me if I am wrong.
Pgpool-II uses encryption modules in several places:
ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL'
# Allowed SSL ciphers
# (change requires restart)
ssl_prefer_server_ciphers = off
# Use server's SSL cipher preferences,
# rather than the client's
# (change requires restart)
ssl_ecdh_curve = 'prime256v1'
# Name of the curve to use in ECDH key exchange
ssl_dh_params_file = ''
You can choose appropreate values for these parameters to satisfy
FIPS.
Other parameters using encryption are named "*.password". For example:
sr_check_password = ''
You can choose strong encryption module (AES-256-CBC) for these. See
manual for more details.
One thing I am worried is pcp password. It's encrypted in md5, which
is not too strong encryption method. This may or may not satify FIPS.
Best regards,
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese:http://www.sraoss.co.jp
More information about the pgpool-general
mailing list