Discussion:
Postgre SQL SHA-256 Compliance
Anthony Burden
2014-09-22 14:24:01 UTC
Permalink
validate some software with you to
ensure that all our installed PostgreSQL software meets SHA-256 compliance.
There is basically two things we are looking for:

1) Identify all COTS software purchased as part of scheduled and budgeted
technology refreshes and upgrades must be SHA-256 compliant.

2) All DOD information systems that have been upgraded or are upgrading to
support SHA-256 compliance must continue to maintain backwards compatibility
with DOD's current SHA-1 credentials.

All the software we are using are:
PostgreSQL 8.2 8.2

Can you confirm that your software is SHA-256 Compliant?




--
View this message in context: http://postgresql.1045698.n5.nabble.com/Postgre-SQL-SHA-256-Compliance-tp5819917.html
Sent from the PostgreSQL - general mailing list archive at Nabble.com.
--
Sent via pgsql-general mailing list (pgsql-***@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
Adrian Klaver
2014-09-22 14:34:58 UTC
Permalink
Post by Anthony Burden
validate some software with you to
ensure that all our installed PostgreSQL software meets SHA-256 compliance.
1) Identify all COTS software purchased as part of scheduled and budgeted
technology refreshes and upgrades must be SHA-256 compliant.
2) All DOD information systems that have been upgraded or are upgrading to
support SHA-256 compliance must continue to maintain backwards compatibility
with DOD's current SHA-1 credentials.
PostgreSQL 8.2 8.2
First the oldest supported release is 9.0, currently at 9.0.18
Post by Anthony Burden
Can you confirm that your software is SHA-256 Compliant?
Second what does the above mean?

I found this:

http://www.acq.osd.mil/dpap/ops/docs/Public%20Briefing%20-%20DoD%20SHA-256%20Migration%2018%20Mar%202011.pdf

but my eyes quickly glazed over:) So a synopsis would be helpful.
--
Adrian Klaver
***@aklaver.com
--
Sent via pgsql-general mailing list (pgsql-***@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
Paul Jungwirth
2014-09-22 14:46:41 UTC
Permalink
Post by Anthony Burden
Can you confirm that your software is SHA-256 Compliant?
Postgres's SSL certificate & key live at the value of ssl_cert_file
and ssl_key_file in your postgresql.conf. Why not point it at a
SHA-256 certificate, restart, and try it out?

Paul
--
_________________________________
Pulchritudo splendor veritatis.
--
Sent via pgsql-general mailing list (pgsql-***@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
Neil Tiffin
2014-09-22 15:15:36 UTC
Permalink
Post by Paul Jungwirth
Post by Anthony Burden
Can you confirm that your software is SHA-256 Compliant?
Postgres's SSL certificate & key live at the value of ssl_cert_file
and ssl_key_file in your postgresql.conf. Why not point it at a
SHA-256 certificate, restart, and try it out?
Unfortunately, that is not the way the government usually works. The person requesting the info may not even have access to the system or know how to use the system. This is especially true if the system is classified at any level.
--
Sent via pgsql-general mailing list (pgsql-***@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
Karsten Hilbert
2014-09-22 17:03:17 UTC
Permalink
Post by Neil Tiffin
Post by Paul Jungwirth
Post by Anthony Burden
Can you confirm that your software is SHA-256 Compliant?
Postgres's SSL certificate & key live at the value of ssl_cert_file
and ssl_key_file in your postgresql.conf. Why not point it at a
SHA-256 certificate, restart, and try it out?
Unfortunately, that is not the way the government usually
works. The person requesting the info may not even have
access to the system or know how to use the system. This is
especially true if the system is classified at any level.
There is no need for access because the exact version is known.

Install a local PG 8.2, at home, on your laptop, and check.

Karsten
--
GPG key ID E4071346 @ gpg-keyserver.de
E167 67FD A291 2BEA 73BD 4537 78B9 A9F9 E407 1346
--
Sent via pgsql-general mailing list (pgsql-***@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
Albe Laurenz
2014-09-22 14:42:58 UTC
Permalink
Post by Anthony Burden
validate some software with you to
ensure that all our installed PostgreSQL software meets SHA-256 compliance.
1) Identify all COTS software purchased as part of scheduled and budgeted
technology refreshes and upgrades must be SHA-256 compliant.
2) All DOD information systems that have been upgraded or are upgrading to
support SHA-256 compliance must continue to maintain backwards compatibility
with DOD's current SHA-1 credentials.
PostgreSQL 8.2 8.2
Can you confirm that your software is SHA-256 Compliant?
If you mean whether a SSL database connection can use SHA-256 or not,
that depends on the OpenSSL library your PostgreSQL uses.
If your OpenSSL version supports SHA-256, so does PostgreSQL.

Yours,
Laurenz Albe
--
Sent via pgsql-general mailing list (pgsql-***@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpre
Merlin Moncure
2014-09-22 15:17:47 UTC
Permalink
Post by Albe Laurenz
Post by Anthony Burden
validate some software with you to
ensure that all our installed PostgreSQL software meets SHA-256 compliance.
1) Identify all COTS software purchased as part of scheduled and budgeted
technology refreshes and upgrades must be SHA-256 compliant.
2) All DOD information systems that have been upgraded or are upgrading to
support SHA-256 compliance must continue to maintain backwards compatibility
with DOD's current SHA-1 credentials.
PostgreSQL 8.2 8.2
Can you confirm that your software is SHA-256 Compliant?
If you mean whether a SSL database connection can use SHA-256 or not,
that depends on the OpenSSL library your PostgreSQL uses.
If your OpenSSL version supports SHA-256, so does PostgreSQL.
Well, it may be more than that depending on what 'SHA-256 compliance'
means. Postgres still uses md5 for password authentication. This has
a significant downside: it requires endlessly explaining the actual
danger to those who are security experts but don't know the difference
between collision and preimage resistance.

For everything but password auth postgres depends on SSL and is configurable.

merlin
--
Sent via pgsql-general mailing list (pgsql-***@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
Stephen Frost
2014-09-22 15:34:10 UTC
Permalink
Anthony,
Post by Anthony Burden
validate some software with you to
ensure that all our installed PostgreSQL software meets SHA-256 compliance.
1) Identify all COTS software purchased as part of scheduled and budgeted
technology refreshes and upgrades must be SHA-256 compliant.
2) All DOD information systems that have been upgraded or are upgrading to
support SHA-256 compliance must continue to maintain backwards compatibility
with DOD's current SHA-1 credentials.
PostgreSQL 8.2 8.2
PostgreSQL is now at version 9.3, with 9.0 being the oldest version
which is supported by PGDG (the PostgreSQL Global Development Group- aka
the PostgreSQL community). Support for older versions may be
available from PostgreSQL support vendors- a list of vendors in North
America is available here:

http://www.postgresql.org/support/professional_support/northamerica/
Post by Anthony Burden
Can you confirm that your software is SHA-256 Compliant?
As mentioned elsewhere on the thread, if this question is about SHA-256
support in OpenSSL, you would need to check the OpenSSL library on your
system. If the operating system you're running PostgreSQL on is as old
as the version of PostgreSQL you're running then I would be quite
worried that it does not support SHA-256.

Generally, I'd recommend you look to upgrade to a version of your OS
which includes a version of PostgreSQL which is currently considered
supported by the PGDG (eg: Red Hat Enterprise Linux 7 includes
PostgreSQL 9.2) and verify that the OpenSSL also supports SHA-256 (RHEL7
does).

Thanks!

Stephen
Loading...