classification
Title: SSL Malloc Error w/OpenSSL 1.1.1c-fips & FIPS_mode_set(1)
Type: behavior Stage: resolved
Components: SSL Versions: Python 3.7, Python 3.6, Python 3.5
process
Status: closed Resolution: third party
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: Scott Sturdivant, christian.heimes
Priority: normal Keywords:

Created on 2019-07-12 21:13 by Scott Sturdivant, last changed 2019-07-13 09:48 by christian.heimes. This issue is now closed.

Messages (4)
msg347755 - (view) Author: Scott Sturdivant (Scott Sturdivant) Date: 2019-07-12 21:13
Using Py3{5,6,7} and OpenSSL 1.1.1b-fips, I have not encountered this error.  Once OpenSSL has been upgraded to 1.1.1c-fips, the SSL Malloc Error rears its ugly head.

Setup:

Fedora 30 has openssl-fips by default.

Install cryptography with 'pip install cryptography --no-binary=cryptography' so that it can link against your system openssl that is fips enabled.

To verify:

With openssl 1.1.1.b-fips, the following works:

>>> import urllib.request
>>> with urllib.request.urlopen('http://python.org/') as response:
...    html = response.read()
...
>>> from cryptography.hazmat.backends.openssl.backend import backend
>>> backend._lib.FIPS_mode_set(1)
1
>>> with urllib.request.urlopen('http://python.org/') as response:
...    html = response.read()
...

With openssl 1.1.1c-fips, an error is now raised:

>>> import urllib.request
>>> with urllib.request.urlopen('http://python.org/') as response:
...    html = response.read()
...
>>> from cryptography.hazmat.backends.openssl.backend import backend
>>> backend._lib.FIPS_mode_set(1)
1
>>> with urllib.request.urlopen('http://python.org/') as response:
...    html = response.read()
...
Traceback (most recent call last):
  File "/usr/lib64/python3.7/urllib/request.py", line 1317, in do_open
    encode_chunked=req.has_header('Transfer-encoding'))
  File "/usr/lib64/python3.7/http/client.py", line 1244, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/usr/lib64/python3.7/http/client.py", line 1290, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/usr/lib64/python3.7/http/client.py", line 1239, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/lib64/python3.7/http/client.py", line 1026, in _send_output
    self.send(msg)
  File "/usr/lib64/python3.7/http/client.py", line 966, in send
    self.connect()
  File "/usr/lib64/python3.7/http/client.py", line 1407, in connect
    server_hostname=server_hostname)
  File "/usr/lib64/python3.7/ssl.py", line 412, in wrap_socket
    session=session
  File "/usr/lib64/python3.7/ssl.py", line 853, in _create
    self.do_handshake()
  File "/usr/lib64/python3.7/ssl.py", line 1117, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL] malloc failure (_ssl.c:1056)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python3.7/urllib/request.py", line 222, in urlopen
    return opener.open(url, data, timeout)
  File "/usr/lib64/python3.7/urllib/request.py", line 531, in open
    response = meth(req, response)
  File "/usr/lib64/python3.7/urllib/request.py", line 641, in http_response
    'http', request, response, code, msg, hdrs)
  File "/usr/lib64/python3.7/urllib/request.py", line 563, in error
    result = self._call_chain(*args)
  File "/usr/lib64/python3.7/urllib/request.py", line 503, in _call_chain
    result = func(*args)
  File "/usr/lib64/python3.7/urllib/request.py", line 755, in http_error_302
    return self.parent.open(new, timeout=req.timeout)
  File "/usr/lib64/python3.7/urllib/request.py", line 525, in open
    response = self._open(req, data)
  File "/usr/lib64/python3.7/urllib/request.py", line 543, in _open
    '_open', req)
  File "/usr/lib64/python3.7/urllib/request.py", line 503, in _call_chain
    result = func(*args)
  File "/usr/lib64/python3.7/urllib/request.py", line 1360, in https_open
    context=self._context, check_hostname=self._check_hostname)
  File "/usr/lib64/python3.7/urllib/request.py", line 1319, in do_open
    raise URLError(err)
urllib.error.URLError: <urlopen error [SSL] malloc failure (_ssl.c:1056)>
>>>
msg347764 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2019-07-12 22:58
The issue is out of scope for Python's ssl module. FIPS mode is not supported by Python and I have no intention to start supporting FIPS mode in Python upstream. Any FIPS related bug is most likely related to Fedora's FIPS patches. Please open a Red Hat Bugzilla and report the issue against the openssl component on Fedora.

By the way Fedora is not FIPS certified, so it makes no sense to enable FIPS on Fedora at all. You just get a crippled system without any benefits. Further more OpenSSL 1.1.1 is also not FIPS certified.
msg347768 - (view) Author: Scott Sturdivant (Scott Sturdivant) Date: 2019-07-13 02:30
Thank you for your input; I wasn't sure where to place the bug. Redhat it will be then!

And no worries, I get the FIPS validated vs compliant nuances. My target system has OpenSSL compiled per their directions, I just mentioned Fedora since it's relatively straight forward to duplicate. I'll check my target system as well, then given that outcome may see what Redhat's Bugzilla has to say.

Thank you again!
msg347792 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2019-07-13 09:48
You are welcome!

Could you please do me a favor and post the RHBZ# here after you have created a ticket? Thanks :)
History
Date User Action Args
2019-07-13 09:48:16christian.heimessetmessages: + msg347792
2019-07-13 02:30:15Scott Sturdivantsetmessages: + msg347768
2019-07-12 22:58:03christian.heimessetstatus: open -> closed
resolution: third party
messages: + msg347764

stage: resolved
2019-07-12 21:13:13Scott Sturdivantcreate