[pgpool-general: 7432] Re: Pgpool works on FIPS mode of VA - very important
Anusha Natarajan
anunataraj194 at gmail.com
Tue Mar 9 12:54:59 JST 2021
Thank you for the clarification.
On Tue, Mar 9, 2021, 9:15 AM Tatsuo Ishii <ishii at sraoss.co.jp> wrote:
> Yes, there is no FIPS compliant pgpool library.
>
> > Thanks Tatsuo, is it that there is no FIPS compliant pgpool library
> > available as such?
> >
> > On Tue, Mar 9, 2021, 7:41 AM Tatsuo Ishii <ishii at sraoss.co.jp> wrote:
> >
> >> > Hi Pgpool team,
> >> >
> >> > We have made our hosts FIPS compliant and using pgpool for clustering.
> >> How
> >> > to make pgpool libraries as well, FIPS compliant?
> >>
> >> I am not familiar with FIPS. Correct me if I am wrong.
> >>
> >> Pgpool-II uses encryption modules in several places:
> >>
> >> ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL'
> >> # Allowed SSL ciphers
> >> # (change requires restart)
> >> ssl_prefer_server_ciphers = off
> >> # Use server's SSL cipher
> preferences,
> >> # rather than the client's
> >> # (change requires restart)
> >> ssl_ecdh_curve = 'prime256v1'
> >> # Name of the curve to use in ECDH
> key
> >> exchange
> >> ssl_dh_params_file = ''
> >>
> >> You can choose appropreate values for these parameters to satisfy
> >> FIPS.
> >>
> >> Other parameters using encryption are named "*.password". For example:
> >>
> >> sr_check_password = ''
> >>
> >> You can choose strong encryption module (AES-256-CBC) for these. See
> >> manual for more details.
> >>
> >> One thing I am worried is pcp password. It's encrypted in md5, which
> >> is not too strong encryption method. This may or may not satify FIPS.
> >>
> >> Best regards,
> >> --
> >> Tatsuo Ishii
> >> SRA OSS, Inc. Japan
> >> English: http://www.sraoss.co.jp/index_en.php
> >> Japanese:http://www.sraoss.co.jp
> >>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pgpool.net/pipermail/pgpool-general/attachments/20210309/4a55f760/attachment.htm>
More information about the pgpool-general
mailing list