From krishnamnnit11 at gmail.com Thu Jan 10 18:35:43 2019 From: krishnamnnit11 at gmail.com (Krishna Kumar) Date: Thu, 10 Jan 2019 15:35:43 -0800 Subject: [Cryptography-dev] build. cryptography with fips openssl and enable fips mode Message-ID: Hi I am new to python and I am trying to run mitmproxy in fips mode. It uses cryptography . Since its built on top of python i thought we need to make my python use fips openssl and enable fips mode in it. I compiled python 3.6 against fips openssl and along with exposing functions to enabled fips mode in it as explained here . Python shows that it uses fips openssl nsroot at Egress-1:~/openssl$ python3 Python 3.6.4 (default, Jan 10 2019, 21:10:38) [GCC 5.4.0 20160609] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import ssl >>> ssl.OPENSSL_VERSION *'OpenSSL 1.0.2q-fips 20 Nov 2018'* But when i do following i see different version nsroot at Egress-1:~/python$ python3 Python 3.6.4 (default, Jan 10 2019, 21:10:38) [GCC 5.4.0 20160609] on linux Type "help", "copyright", "credits" or "license" for more information. >>> from OpenSSL import SSL >>> print("OpenSSL: {}".format(SSL.SSLeay_version(SSL.SSLEAY_VERSION).decode()),) *OpenSSL: OpenSSL 1.1.0j 20 Nov 2018* So i guess i am getting different version because cryptography comes with its own version of openssl as mentioned here https://cryptography.io/en/latest/installation/#using-your-own-openssl-on-linux Looking at the documentation it looks like its tested with fips openssl https://cryptography.io/en/latest/installation/#supported-platforms. The link doesn't explain in detail how we can compile cryptography step by step with any custom openssl here in my case with fips openssl. Is there any other link or documentation which i can follow to compile cryptography against fips openssl? Any help is appreciated. Also once its compiled against fips openssl how do we enable fips mode in it. Openssl documentation says the application should call FIPS_mode_set() to be really in FIPS mode. How do we do it for the openssl used by cryptography so that the application mitmproxy uses FIPS crypto. Thanks Krishna kumar -------------- next part -------------- An HTML attachment was scrubbed... URL: From scott.sturdivant at gmail.com Thu Jan 10 19:28:01 2019 From: scott.sturdivant at gmail.com (Scott Sturdivant) Date: Thu, 10 Jan 2019 17:28:01 -0700 Subject: [Cryptography-dev] build. cryptography with fips openssl and enable fips mode In-Reply-To: References: Message-ID: Hi Krishna, You will need to build the cryptography library from source to avoid using the static library that ships with the wheel package. I recommend using a virtual environment to do this. Some commands: $ python3 -m venv /tmp/venv $ source /tmp/venv/bin/activate $ pip install cryptography --no-binary cryptography At this point you can do the following to enable FIPS mode: $ python >>> from cryptography.hazmat.backends.openssl.backend import backend >>> backend._lib.FIPS_mode_set(1) Scott On Thu, Jan 10, 2019 at 4:37 PM Krishna Kumar wrote: > Hi > > I am new to python and I am trying to run mitmproxy > in fips mode. It uses cryptography > . Since its built on > top of python i thought we need to make my python use fips openssl and > enable fips mode in it. > > I compiled python 3.6 against fips openssl and along with exposing > functions to enabled fips mode in it as explained here > > . > > Python shows that it uses fips openssl > > nsroot at Egress-1:~/openssl$ python3 > Python 3.6.4 (default, Jan 10 2019, 21:10:38) > [GCC 5.4.0 20160609] on linux > Type "help", "copyright", "credits" or "license" for more information. > >>> import ssl > >>> ssl.OPENSSL_VERSION > *'OpenSSL 1.0.2q-fips 20 Nov 2018'* > > But when i do following i see different version > > nsroot at Egress-1:~/python$ python3 > Python 3.6.4 (default, Jan 10 2019, 21:10:38) > [GCC 5.4.0 20160609] on linux > Type "help", "copyright", "credits" or "license" for more information. > >>> from OpenSSL import SSL > >>> print("OpenSSL: > {}".format(SSL.SSLeay_version(SSL.SSLEAY_VERSION).decode()),) > *OpenSSL: OpenSSL 1.1.0j 20 Nov 2018* > > So i guess i am getting different version because cryptography comes with > its own version of openssl as mentioned here > https://cryptography.io/en/latest/installation/#using-your-own-openssl-on-linux > > Looking at the documentation it looks like its tested with fips openssl > https://cryptography.io/en/latest/installation/#supported-platforms. > > The link > > doesn't explain in detail how we can compile cryptography step by step with > any custom openssl here in my case with fips openssl. Is there any other > link or documentation which i can follow to compile cryptography against > fips openssl? Any help is appreciated. > > Also once its compiled against fips openssl how do we enable fips mode in > it. Openssl documentation says the application should call FIPS_mode_set() > to be really in FIPS mode. How do we do it for the openssl used by > cryptography so that the application mitmproxy uses FIPS crypto. > > Thanks > Krishna kumar > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul.l.kehrer at gmail.com Tue Jan 22 11:51:28 2019 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Tue, 22 Jan 2019 11:51:28 -0500 Subject: [Cryptography-dev] PyCA cryptography 2.5 released Message-ID: PyCA cryptography 2.5 has been released to PyPI. cryptography includes both high level recipes and low level interfaces to common cryptographic algorithms such as symmetric ciphers, asymmetric algorithms, message digests, X509, key derivation functions, and much more. We support Python 2.7, Python 3.4+, and PyPy. Changelog (https://cryptography.io/en/latest/changelog/#v2-5): * BACKWARDS INCOMPATIBLE: U-label strings were deprecated in version 2.1, but this version removes the default idna dependency as well. If you still need this deprecated path please install cryptography with the idna extra: pip install cryptography[idna]. * BACKWARDS INCOMPATIBLE: The minimum supported PyPy version is now 5.4. * Numerous classes and functions have been updated to allow bytes-like types for keying material and passwords, including symmetric algorithms, AEAD ciphers, KDFs, loading asymmetric keys, and one time password classes. * Updated Windows, macOS, and manylinux1 wheels to be compiled with OpenSSL 1.1.1a. * Added support for SHA512_224 and SHA512_256 when using OpenSSL 1.1.1. * Added support for SHA3_224, SHA3_256, SHA3_384, and SHA3_512 when using OpenSSL 1.1.1. * Added support for X448 key exchange when using OpenSSL 1.1.1. * Added support for SHAKE128 and SHAKE256 when using OpenSSL 1.1.1. * Added initial support for parsing PKCS12 files with load_key_and_certificates(). * Added support for IssuingDistributionPoint. * Added rfc4514_string() method to x509.Name, x509.RelativeDistinguishedName, and x509.NameAttribute to format the name or component an RFC 4514 Distinguished Name string. * Added from_encoded_point(), which immediately checks if the point is on the curve and supports compressed points. Deprecated the previous method from_encoded_point(). * Added signature_hash_algorithm to OCSPResponse. * Updated X25519 key exchange support to allow additional serialization methods. Calling public_bytes() with no arguments has been deprecated. * Added support for encoding compressed and uncompressed points via public_bytes(). Deprecated the previous method encode_point(). -Paul Kehrer (reaperhulk) -------------- next part -------------- An HTML attachment was scrubbed... URL: