OpenSSL 3.0.x + Python 3.9.x + Enable FIPS- Need help/inputs

Wed Apr 19 15:35:54 UTC 2023

Hi Dr.Paul/Team,

Good Morning,

We have integrated OpenSSL 3.0.8 in our code along with fips enablement. We are using python 3.11 version.

We have used the default search path as our application directory (OSSL_PROVIDER_set_default_search_path) and loaded the "base" and "fips" providers and not the default provider.
OSSL_PROVIDER_load(None, b"base")

OSSL_PROVIDER_load(None, b"fips")

After that, we enabled the FIPS using libcrypto.EVP_default_properties_enable_fips() call.

Should we load the default provider as well or base and fips are good enough?

Sometimes we are getting the below error message from Python cryptography package

cryptography.exceptions.InternalError: Unknown OpenSSL error. This error is commonly encountered when another library is not cleaning up the OpenSSL error stack. If you are using cryptography with another library that uses OpenSSL try disabling it before reporting a bug. Otherwise please file an issue at https://github.com/pyca/cryptography/issues with information on how to reproduce this. ([_OpenSSLErrorWithText(code=50856204, lib=6, reason=524556, reason_text=b'error:0308010C:digital envelope routines::unsupported')])

This error is intermittent is what we are observing as we have already tested the complete application couple of times

Any thoughts or inputs on this please will help us in debugging more on this issue.

Thanks,
Raghavendra

Internal Use - Confidential
From: Dr Paul Dale <pauli at openssl.org>
Sent: Wednesday, March 8, 2023 11:02 AM
To: Prasad, PCRaghavendra; openssl-users at openssl.org
Cc: Ds, Pradeep Kumar; Kuppam, Pradeep; Kappgal, Srinath
Subject: Re: OpenSSL 3.0.x + Python 3.9.x + Enable FIPS- Need help/inputs

[EXTERNAL EMAIL]

Are there any specific .h files where we can refer to this method that needs to be used ( ex: evp.h )?

#include "openssl/evp.h" should be enough to get the EVP APIs.  You will need other includes for other parts of OpenSSL but that covers EVP well enough.

still, are there any files that we can go through once before calling in the fips mode?

Turn on -Wdeprecated or equivalent in your compile and the low level calls will be flagged.  They should all be deprecated.

One more doubt is How can we set fips enabled for the complete application (process/service) while running so that if we are using non-compliant algorithms/methods it should throw errors? Is it possible in OpenSSL 3.0.x?

The call you are looking for is:

    EVP_set_default_properties(libctx, "fips=yes");

I strongly suggest reading the documentation about the FIPS provider [openssl.org]<https://urldefense.com/v3/__https:/www.openssl.org/docs/man3.0/man7/fips_module.html__;!!LpKI!gwsGt_60jqaHzhWTEXZCwSn0frcRAuJbbxYQLrkbfBfkw9-Eg_mdOnYzU6EDHNOBOR25XSXKcqHcPO1X7_TtGA$> and the migration guide [openssl.org]<https://urldefense.com/v3/__https:/www.openssl.org/docs/man3.0/man7/migration_guide.html__;!!LpKI!gwsGt_60jqaHzhWTEXZCwSn0frcRAuJbbxYQLrkbfBfkw9-Eg_mdOnYzU6EDHNOBOR25XSXKcqHcPO2zYsa_AA$>.  Both the avoidance of low level calls and setting the default properties are covered therein.  There are a number of other nuances to trip over when using the FIPS provider.

Paul Dale
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230419/afa51bd9/attachment.htm>