[Cryptography-dev] build. cryptography with fips openssl and enable fips mode
Scott Sturdivant
scott.sturdivant at gmail.com
Thu Jan 10 19:28:01 EST 2019
Hi Krishna,
You will need to build the cryptography library from source to avoid using
the static library that ships with the wheel package. I recommend using a
virtual environment to do this. Some commands:
$ python3 -m venv /tmp/venv
$ source /tmp/venv/bin/activate
$ pip install cryptography --no-binary cryptography
At this point you can do the following to enable FIPS mode:
$ python
>>> from cryptography.hazmat.backends.openssl.backend import backend
>>> backend._lib.FIPS_mode_set(1)
Scott
On Thu, Jan 10, 2019 at 4:37 PM Krishna Kumar <krishnamnnit11 at gmail.com>
wrote:
> Hi
>
> I am new to python and I am trying to run mitmproxy
> <https://mitmproxy.org/>in fips mode. It uses cryptography
> <https://github.com/mitmproxy/mitmproxy/issues/1808>. Since its built on
> top of python i thought we need to make my python use fips openssl and
> enable fips mode in it.
>
> I compiled python 3.6 against fips openssl and along with exposing
> functions to enabled fips mode in it as explained here
> <https://stackoverflow.com/questions/49493537/how-to-implement-fips-mode-and-fips-mode-set-in-python-3-6s-ssl-module>
> .
>
> Python shows that it uses fips openssl
>
> nsroot at Egress-1:~/openssl$ python3
> Python 3.6.4 (default, Jan 10 2019, 21:10:38)
> [GCC 5.4.0 20160609] on linux
> Type "help", "copyright", "credits" or "license" for more information.
> >>> import ssl
> >>> ssl.OPENSSL_VERSION
> *'OpenSSL 1.0.2q-fips 20 Nov 2018'*
>
> But when i do following i see different version
>
> nsroot at Egress-1:~/python$ python3
> Python 3.6.4 (default, Jan 10 2019, 21:10:38)
> [GCC 5.4.0 20160609] on linux
> Type "help", "copyright", "credits" or "license" for more information.
> >>> from OpenSSL import SSL
> >>> print("OpenSSL:
> {}".format(SSL.SSLeay_version(SSL.SSLEAY_VERSION).decode()),)
> *OpenSSL: OpenSSL 1.1.0j 20 Nov 2018*
>
> So i guess i am getting different version because cryptography comes with
> its own version of openssl as mentioned here
> https://cryptography.io/en/latest/installation/#using-your-own-openssl-on-linux
>
> Looking at the documentation it looks like its tested with fips openssl
> https://cryptography.io/en/latest/installation/#supported-platforms.
>
> The link
> <https://cryptography.io/en/latest/installation/#using-your-own-openssl-on-linux>
> doesn't explain in detail how we can compile cryptography step by step with
> any custom openssl here in my case with fips openssl. Is there any other
> link or documentation which i can follow to compile cryptography against
> fips openssl? Any help is appreciated.
>
> Also once its compiled against fips openssl how do we enable fips mode in
> it. Openssl documentation says the application should call FIPS_mode_set()
> to be really in FIPS mode. How do we do it for the openssl used by
> cryptography so that the application mitmproxy uses FIPS crypto.
>
> Thanks
> Krishna kumar
>
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20190110/397cef80/attachment.html>
More information about the Cryptography-dev
mailing list