Hi Krishna, You will need to build the cryptography library from source to avoid using the static library that ships with the wheel package. I recommend using a virtual environment to do this. Some commands:
$ python3 -m venv /tmp/venv $ source /tmp/venv/bin/activate $ pip install cryptography --no-binary cryptography At this point you can do the following to enable FIPS mode: $ python >>> from cryptography.hazmat.backends.openssl.backend import backend >>> backend._lib.FIPS_mode_set(1) Scott On Thu, Jan 10, 2019 at 4:37 PM Krishna Kumar <krishnamnni...@gmail.com> wrote: > Hi > > I am new to python and I am trying to run mitmproxy > <https://mitmproxy.org/>in fips mode. It uses cryptography > <https://github.com/mitmproxy/mitmproxy/issues/1808>. Since its built on > top of python i thought we need to make my python use fips openssl and > enable fips mode in it. > > I compiled python 3.6 against fips openssl and along with exposing > functions to enabled fips mode in it as explained here > <https://stackoverflow.com/questions/49493537/how-to-implement-fips-mode-and-fips-mode-set-in-python-3-6s-ssl-module> > . > > Python shows that it uses fips openssl > > nsroot@Egress-1:~/openssl$ python3 > Python 3.6.4 (default, Jan 10 2019, 21:10:38) > [GCC 5.4.0 20160609] on linux > Type "help", "copyright", "credits" or "license" for more information. > >>> import ssl > >>> ssl.OPENSSL_VERSION > *'OpenSSL 1.0.2q-fips 20 Nov 2018'* > > But when i do following i see different version > > nsroot@Egress-1:~/python$ python3 > Python 3.6.4 (default, Jan 10 2019, 21:10:38) > [GCC 5.4.0 20160609] on linux > Type "help", "copyright", "credits" or "license" for more information. > >>> from OpenSSL import SSL > >>> print("OpenSSL: > {}".format(SSL.SSLeay_version(SSL.SSLEAY_VERSION).decode()),) > *OpenSSL: OpenSSL 1.1.0j 20 Nov 2018* > > So i guess i am getting different version because cryptography comes with > its own version of openssl as mentioned here > https://cryptography.io/en/latest/installation/#using-your-own-openssl-on-linux > > Looking at the documentation it looks like its tested with fips openssl > https://cryptography.io/en/latest/installation/#supported-platforms. > > The link > <https://cryptography.io/en/latest/installation/#using-your-own-openssl-on-linux> > doesn't explain in detail how we can compile cryptography step by step with > any custom openssl here in my case with fips openssl. Is there any other > link or documentation which i can follow to compile cryptography against > fips openssl? Any help is appreciated. > > Also once its compiled against fips openssl how do we enable fips mode in > it. Openssl documentation says the application should call FIPS_mode_set() > to be really in FIPS mode. How do we do it for the openssl used by > cryptography so that the application mitmproxy uses FIPS crypto. > > Thanks > Krishna kumar > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev@python.org > https://mail.python.org/mailman/listinfo/cryptography-dev >
_______________________________________________ Cryptography-dev mailing list Cryptography-dev@python.org https://mail.python.org/mailman/listinfo/cryptography-dev
