OpenSSL 3.0.x + Python 3.9.x + Enable FIPS- Need help/inputs
Dr Paul Dale
pauli at openssl.org
Thu Apr 20 01:39:37 UTC 2023
It looks like you're trying to access non-approved crypto. My
suggestion would be to create a new library context specifically for
this using OSSL_LIB_CTX_new(). Load only the default provider into that
context using OSSL_PROVIDER_load(). Do not call
EVP_default_properties_enable_fips() on it.
You should only use this new library context for non-FIPS operations.
If there is any doubt about what is permitted and what isn't, contact
your FIPS lab for clarification.
On 20/4/23 01:35, Prasad, PCRaghavendra wrote:
> Hi Dr.Paul/Team,
> Good Morning,
> We have integrated OpenSSL 3.0.8 in our code along with fips
> enablement. We are using python 3.11 version.
> We have used the default search path as our application directory
> (OSSL_PROVIDER_set_default_search_path) and loaded the “base” and
> “fips” providers and not the default provider.
> OSSL_PROVIDER_load(None, b"base")
> OSSL_PROVIDER_load(None, b"fips")
> After that, we enabled the FIPS using
> libcrypto.EVP_default_properties_enable_fips() call.
> Should we load the default provider as well or base and fips are good
> Sometimes we are getting the below error message from Python
> cryptography package
> cryptography.exceptions.InternalError: Unknown OpenSSL error. This
> error is commonly encountered when another library is not cleaning up
> the OpenSSL error stack. If you are using cryptography with another
> library that uses OpenSSL try disabling it before reporting a bug.
> Otherwise please file an issue at
> https://github.com/pyca/cryptography/issues with information on how to
> reproduce this. ([_OpenSSLErrorWithText(code=50856204, lib=6,
> reason=524556, reason_text=b'error:0308010C:digital envelope
> This error is intermittent is what we are observing as we have already
> tested the complete application couple of times
> Any thoughts or inputs on this please will help us in debugging more
> on this issue.
> Internal Use - Confidential
> *From:* Dr Paul Dale <pauli at openssl.org>
> *Sent:* Wednesday, March 8, 2023 11:02 AM
> *To:* Prasad, PCRaghavendra; openssl-users at openssl.org
> *Cc:* Ds, Pradeep Kumar; Kuppam, Pradeep; Kappgal, Srinath
> *Subject:* Re: OpenSSL 3.0.x + Python 3.9.x + Enable FIPS- Need
> [EXTERNAL EMAIL]
> Are there any specific .h files where we can refer to this method
> that needs to be used ( ex: evp.h )?
> #include "openssl/evp.h" should be enough to get the EVP APIs. You
> will need other includes for other parts of OpenSSL but that covers
> EVP well enough.
> still, are there any files that we can go through once before
> calling in the fips mode?
> Turn on -Wdeprecated or equivalent in your compile and the low level
> calls will be flagged. They should all be deprecated.
> One more doubt is How can we set fips enabled for the complete
> application (process/service) while running so that if we are
> using non-compliant algorithms/methods it should throw errors? Is
> it possible in OpenSSL 3.0.x?
> The call you are looking for is:
> EVP_set_default_properties(libctx, "fips=yes");
> I strongly suggest reading the documentation about the FIPS provider
> and the migration guide [openssl.org]
> Both the avoidance of low level calls and setting the default
> properties are covered therein. There are a number of other nuances
> to trip over when using the FIPS provider.
> Paul Dale
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openssl-users