Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failed to create SSL context when FIPS enabled in python-cryptography #128931

Open
akash0x53 opened this issue Jan 17, 2025 · 2 comments
Open

Failed to create SSL context when FIPS enabled in python-cryptography #128931

akash0x53 opened this issue Jan 17, 2025 · 2 comments
Labels
topic-SSL type-bug An unexpected behavior, bug, or error

Comments

@akash0x53
Copy link

akash0x53 commented Jan 17, 2025
edited
Loading

Bug report

Bug description:

Strange behviour seen on Windows Python (build from source & linked OpenSSL 3.0.14).

Platform: Windows (amd64)
Python version: 3.9.20
OpenSSL version: 3.0.14
Python cryptography version: 43.0.3

import os
os.environ["CRYPTOGRAPHY_OPENSSL_NO_LEGACY"] = "1"
os.environ["OPENSSL_CONF"] = r"C:\fips\openssl.cnf"
os.environ["OPENSSL_MODULES"] = r"C:\fips"

from cryptography.hazmat.bindings._rust import openssl as _rust_openssl
print("rust openssl=",_rust_openssl.is_fips_enabled())

from cryptography.hazmat.primitives.asymmetric import rsa
rsa.generate_private_key(public_exponent=65537, key_size=2048)

import ssl
ctx = ssl.SSLContext()

----- output ------

rust openssl= True
Traceback (most recent call last):
  File "C:\cygwin64\home\nshende1\flexsnap\ssl_bug.py", line 13, in <module>
    ctx = ssl.SSLContext()
  File "C:\cygwin64\home\nshende1\flexsnap\buildarea\pyenv\lib\ssl.py", line 484, in __new__
    self = _SSLContext.__new__(cls, protocol)
ssl.SSLError: [SSL: LIBRARY_HAS_NO_CIPHERS] library has no ciphers (_ssl.c:3179)

CPython versions tested on:

3.9, 3.13

Operating systems tested on:

Windows
@akash0x53 akash0x53 added the type-bug An unexpected behavior, bug, or error label Jan 17, 2025
@skirpichev
Copy link
Member

Note that 3.9 now for security-fixes only, I doubt this one fits to this category. Can you reproduce this on stable versions?

@akash0x53 akash0x53 changed the title Failed to craete SSL context when FIPS enabled in python-cryptography Failed to create SSL context when FIPS enabled in python-cryptography Jan 17, 2025
@akash0x53
Copy link
Author

Same issue observed on 3.13.

>>> import os
>>> os.environ["CRYPTOGRAPHY_OPENSSL_NO_LEGACY"] = "1"
>>> os.environ["OPENSSL_CONF"] = r"C:\fips\openssl.cnf"
>>> os.environ["OPENSSL_MODULES"] = r"C:\fips"
>>>
>>> from cryptography.hazmat.bindings._rust import openssl as _rust_openssl
>>> print("rust openssl=",_rust_openssl.is_fips_enabled())
rust openssl= True
>>> from cryptography.hazmat.primitives.asymmetric import rsa
>>> rsa.generate_private_key(public_exponent=65537, key_size=2048)
<cryptography.hazmat.bindings._rust.openssl.rsa.RSAPrivateKey object at 0x000001F117AFA270>
>>> import ssl
>>> ctx = ssl.SSLContext()
<python-input-13>:1: DeprecationWarning: ssl.SSLContext() without protocol argument is deprecated.
  ctx = ssl.SSLContext()
<python-input-13>:1: DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
  ctx = ssl.SSLContext()
Traceback (most recent call last):
  File "<python-input-13>", line 1, in <module>
    ctx = ssl.SSLContext()
  File "C:\cygwin64\home\nshende1\flexsnap\buildarea\pyenv\Lib\ssl.py", line 438, in __new__
    self = _SSLContext.__new__(cls, protocol)
ssl.SSLError: [SSL: LIBRARY_HAS_NO_CIPHERS] library has no ciphers (_ssl.c:3113)
>>>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
topic-SSL type-bug An unexpected behavior, bug, or error
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@akash0x53 @skirpichev @tomasr8