➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2019-07-12 21:13 by Scott Sturdivant, last changed 2022-04-11 14:59 by admin. This issue is now closed.
| Messages (4) | |||
|---|---|---|---|
| msg347755 - (view) | Author: Scott Sturdivant (Scott Sturdivant) | Date: 2019-07-12 21:13 | |
Using Py3{5,6,7} and OpenSSL 1.1.1b-fips, I have not encountered this error. Once OpenSSL has been upgraded to 1.1.1c-fips, the SSL Malloc Error rears its ugly head.
Setup:
Fedora 30 has openssl-fips by default.
Install cryptography with 'pip install cryptography --no-binary=cryptography' so that it can link against your system openssl that is fips enabled.
To verify:
With openssl 1.1.1.b-fips, the following works:
>>> import urllib.request
>>> with urllib.request.urlopen('http://python.org/') as response:
... html = response.read()
...
>>> from cryptography.hazmat.backends.openssl.backend import backend
>>> backend._lib.FIPS_mode_set(1)
1
>>> with urllib.request.urlopen('http://python.org/') as response:
... html = response.read()
...
With openssl 1.1.1c-fips, an error is now raised:
>>> import urllib.request
>>> with urllib.request.urlopen('http://python.org/') as response:
... html = response.read()
...
>>> from cryptography.hazmat.backends.openssl.backend import backend
>>> backend._lib.FIPS_mode_set(1)
1
>>> with urllib.request.urlopen('http://python.org/') as response:
... html = response.read()
...
Traceback (most recent call last):
File "/usr/lib64/python3.7/urllib/request.py", line 1317, in do_open
encode_chunked=req.has_header('Transfer-encoding'))
File "/usr/lib64/python3.7/http/client.py", line 1244, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/usr/lib64/python3.7/http/client.py", line 1290, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/usr/lib64/python3.7/http/client.py", line 1239, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/usr/lib64/python3.7/http/client.py", line 1026, in _send_output
self.send(msg)
File "/usr/lib64/python3.7/http/client.py", line 966, in send
self.connect()
File "/usr/lib64/python3.7/http/client.py", line 1407, in connect
server_hostname=server_hostname)
File "/usr/lib64/python3.7/ssl.py", line 412, in wrap_socket
session=session
File "/usr/lib64/python3.7/ssl.py", line 853, in _create
self.do_handshake()
File "/usr/lib64/python3.7/ssl.py", line 1117, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL] malloc failure (_ssl.c:1056)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib64/python3.7/urllib/request.py", line 222, in urlopen
return opener.open(url, data, timeout)
File "/usr/lib64/python3.7/urllib/request.py", line 531, in open
response = meth(req, response)
File "/usr/lib64/python3.7/urllib/request.py", line 641, in http_response
'http', request, response, code, msg, hdrs)
File "/usr/lib64/python3.7/urllib/request.py", line 563, in error
result = self._call_chain(*args)
File "/usr/lib64/python3.7/urllib/request.py", line 503, in _call_chain
result = func(*args)
File "/usr/lib64/python3.7/urllib/request.py", line 755, in http_error_302
return self.parent.open(new, timeout=req.timeout)
File "/usr/lib64/python3.7/urllib/request.py", line 525, in open
response = self._open(req, data)
File "/usr/lib64/python3.7/urllib/request.py", line 543, in _open
'_open', req)
File "/usr/lib64/python3.7/urllib/request.py", line 503, in _call_chain
result = func(*args)
File "/usr/lib64/python3.7/urllib/request.py", line 1360, in https_open
context=self._context, check_hostname=self._check_hostname)
File "/usr/lib64/python3.7/urllib/request.py", line 1319, in do_open
raise URLError(err)
urllib.error.URLError: <urlopen error [SSL] malloc failure (_ssl.c:1056)>
>>>
|
|||
| msg347764 - (view) | Author: Christian Heimes (christian.heimes) *  |
Date: 2019-07-12 22:58 | |
The issue is out of scope for Python's ssl module. FIPS mode is not supported by Python and I have no intention to start supporting FIPS mode in Python upstream. Any FIPS related bug is most likely related to Fedora's FIPS patches. Please open a Red Hat Bugzilla and report the issue against the openssl component on Fedora. By the way Fedora is not FIPS certified, so it makes no sense to enable FIPS on Fedora at all. You just get a crippled system without any benefits. Further more OpenSSL 1.1.1 is also not FIPS certified. |
|||
| msg347768 - (view) | Author: Scott Sturdivant (Scott Sturdivant) | Date: 2019-07-13 02:30 | |
Thank you for your input; I wasn't sure where to place the bug. Redhat it will be then! And no worries, I get the FIPS validated vs compliant nuances. My target system has OpenSSL compiled per their directions, I just mentioned Fedora since it's relatively straight forward to duplicate. I'll check my target system as well, then given that outcome may see what Redhat's Bugzilla has to say. Thank you again! |
|||
| msg347792 - (view) | Author: Christian Heimes (christian.heimes) * |
Date: 2019-07-13 09:48 | |
You are welcome! Could you please do me a favor and post the RHBZ# here after you have created a ticket? Thanks :) |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:59:17 | admin | set | github: 81757 |
| 2019-07-13 09:48:16 | christian.heimes | set | messages: + msg347792 |
| 2019-07-13 02:30:15 | Scott Sturdivant | set | messages: + msg347768 |
| 2019-07-12 22:58:03 | christian.heimes | set | status: open -> closed resolution: third party messages: + msg347764 stage: resolved |
| 2019-07-12 21:13:13 | Scott Sturdivant | create | |