[pgpool-general: 7431] Re: Pgpool works on FIPS mode of VA - very important

[Tatsuo Ishii]

Yes, there is no FIPS compliant pgpool library.

> Thanks Tatsuo, is it that there is no FIPS compliant pgpool library
> available as such?
> 
> On Tue, Mar 9, 2021, 7:41 AM Tatsuo Ishii <ishii at sraoss.co.jp> wrote:
> 
>> > Hi Pgpool team,
>> >
>> > We have made our hosts FIPS compliant and using pgpool for clustering.
>> How
>> > to make pgpool libraries as well, FIPS compliant?
>>
>> I am not familiar with FIPS. Correct me if I am wrong.
>>
>> Pgpool-II uses encryption modules in several places:
>>
>> ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL'
>>                                    # Allowed SSL ciphers
>>                                    # (change requires restart)
>> ssl_prefer_server_ciphers = off
>>                                    # Use server's SSL cipher preferences,
>>                                    # rather than the client's
>>                                    # (change requires restart)
>> ssl_ecdh_curve = 'prime256v1'
>>                                    # Name of the curve to use in ECDH key
>> exchange
>> ssl_dh_params_file = ''
>>
>> You can choose appropreate values for these parameters to satisfy
>> FIPS.
>>
>> Other parameters using encryption are named "*.password". For example:
>>
>> sr_check_password = ''
>>
>> You can choose strong encryption module (AES-256-CBC) for these. See
>> manual for more details.
>>
>> One thing I am worried is pcp password. It's encrypted in md5, which
>> is not too strong encryption method. This may or may not satify FIPS.
>>
>> Best regards,
>> --
>> Tatsuo Ishii
>> SRA OSS, Inc. Japan
>> English: http://www.sraoss.co.jp/index_en.php
>> Japanese:http://www.sraoss.co.jp
>>