[issue37576] SSL Malloc Error w/OpenSSL 1.1.1c-fips & FIPS_mode_set(1)

[Christian Heimes]

Christian Heimes  added the comment:

You are welcome!

Could you please do me a favor and post the RHBZ# here after you have created a 
ticket? Thanks :)

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue37576] SSL Malloc Error w/OpenSSL 1.1.1c-fips & FIPS_mode_set(1)

[Scott Sturdivant]

Scott Sturdivant  added the comment:

Thank you for your input; I wasn't sure where to place the bug. Redhat it will 
be then!

And no worries, I get the FIPS validated vs compliant nuances. My target system 
has OpenSSL compiled per their directions, I just mentioned Fedora since it's 
relatively straight forward to duplicate. I'll check my target system as well, 
then given that outcome may see what Redhat's Bugzilla has to say.

Thank you again!

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue37576] SSL Malloc Error w/OpenSSL 1.1.1c-fips & FIPS_mode_set(1)

[Christian Heimes]

Christian Heimes  added the comment:

The issue is out of scope for Python's ssl module. FIPS mode is not supported 
by Python and I have no intention to start supporting FIPS mode in Python 
upstream. Any FIPS related bug is most likely related to Fedora's FIPS patches. 
Please open a Red Hat Bugzilla and report the issue against the openssl 
component on Fedora.

By the way Fedora is not FIPS certified, so it makes no sense to enable FIPS on 
Fedora at all. You just get a crippled system without any benefits. Further 
more OpenSSL 1.1.1 is also not FIPS certified.

--
resolution:  -> third party
stage:  -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue37576] SSL Malloc Error w/OpenSSL 1.1.1c-fips & FIPS_mode_set(1)

[Scott Sturdivant]

New submission from Scott Sturdivant :

Using Py3{5,6,7} and OpenSSL 1.1.1b-fips, I have not encountered this error.  
Once OpenSSL has been upgraded to 1.1.1c-fips, the SSL Malloc Error rears its 
ugly head.

Setup:

Fedora 30 has openssl-fips by default.

Install cryptography with 'pip install cryptography --no-binary=cryptography' 
so that it can link against your system openssl that is fips enabled.

To verify:

With openssl 1.1.1.b-fips, the following works:

>>> import urllib.request
>>> with urllib.request.urlopen('http://python.org/') as response:
...html = response.read()
...
>>> from cryptography.hazmat.backends.openssl.backend import backend
>>> backend._lib.FIPS_mode_set(1)
1
>>> with urllib.request.urlopen('http://python.org/') as response:
...html = response.read()
...

With openssl 1.1.1c-fips, an error is now raised:

>>> import urllib.request
>>> with urllib.request.urlopen('http://python.org/') as response:
...html = response.read()
...
>>> from cryptography.hazmat.backends.openssl.backend import backend
>>> backend._lib.FIPS_mode_set(1)
1
>>> with urllib.request.urlopen('http://python.org/') as response:
...html = response.read()
...
Traceback (most recent call last):
  File "/usr/lib64/python3.7/urllib/request.py", line 1317, in do_open
encode_chunked=req.has_header('Transfer-encoding'))
  File "/usr/lib64/python3.7/http/client.py", line 1244, in request
self._send_request(method, url, body, headers, encode_chunked)
  File "/usr/lib64/python3.7/http/client.py", line 1290, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
  File "/usr/lib64/python3.7/http/client.py", line 1239, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/lib64/python3.7/http/client.py", line 1026, in _send_output
self.send(msg)
  File "/usr/lib64/python3.7/http/client.py", line 966, in send
self.connect()
  File "/usr/lib64/python3.7/http/client.py", line 1407, in connect
server_hostname=server_hostname)
  File "/usr/lib64/python3.7/ssl.py", line 412, in wrap_socket
session=session
  File "/usr/lib64/python3.7/ssl.py", line 853, in _create
self.do_handshake()
  File "/usr/lib64/python3.7/ssl.py", line 1117, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL] malloc failure (_ssl.c:1056)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "", line 1, in 
  File "/usr/lib64/python3.7/urllib/request.py", line 222, in urlopen
return opener.open(url, data, timeout)
  File "/usr/lib64/python3.7/urllib/request.py", line 531, in open
response = meth(req, response)
  File "/usr/lib64/python3.7/urllib/request.py", line 641, in http_response
'http', request, response, code, msg, hdrs)
  File "/usr/lib64/python3.7/urllib/request.py", line 563, in error
result = self._call_chain(*args)
  File "/usr/lib64/python3.7/urllib/request.py", line 503, in _call_chain
result = func(*args)
  File "/usr/lib64/python3.7/urllib/request.py", line 755, in http_error_302
return self.parent.open(new, timeout=req.timeout)
  File "/usr/lib64/python3.7/urllib/request.py", line 525, in open
response = self._open(req, data)
  File "/usr/lib64/python3.7/urllib/request.py", line 543, in _open
'_open', req)
  File "/usr/lib64/python3.7/urllib/request.py", line 503, in _call_chain
result = func(*args)
  File "/usr/lib64/python3.7/urllib/request.py", line 1360, in https_open
context=self._context, check_hostname=self._check_hostname)
  File "/usr/lib64/python3.7/urllib/request.py", line 1319, in do_open
raise URLError(err)
urllib.error.URLError: 
>>>

--
assignee: christian.heimes
components: SSL
messages: 347755
nosy: Scott Sturdivant, christian.heimes
priority: normal
severity: normal
status: open
title: SSL Malloc Error w/OpenSSL 1.1.1c-fips & FIPS_mode_set(1)
type: behavior
versions: Python 3.5, Python 3.6, Python 3.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com