Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

md5 fails when OpenSSL FIPS is enabled #7611

Closed
lhupfeldt opened this issue May 4, 2020 · 2 comments
Closed

md5 fails when OpenSSL FIPS is enabled #7611

lhupfeldt opened this issue May 4, 2020 · 2 comments
Labels
type:bug
Milestone
3.0.4

Comments

@lhupfeldt
Copy link
Contributor

Attemting to build documentation on a Redhat Linux with SSL FIPS enabled, results in the following error:

File .../sphinx/builders/html/__init__.py", line 80, in get_stable_hash return md5(str(obj).encode()).hexdigest()
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

Environment info

  • OS: Redhat Linux 7.8 - FIPS enabled
  • Python version: 3.6.8
  • Sphinx version: v3.0.3

The md5 algorithm is considered insecure and is not allowed by FIPS. A workaround is to supply the argument 'usedforsecurity=False' to the md5 call. Another solution would be changing the hash algorithm.
The 'usedforsecurity' is not supported on all platforms, so would have to be wrapped in a try/except.

There seems to be no workaround for this issue other than a systemwide disabling of FIPS, which I cannot do, so changing the caching code in sphinx seems like the only solution.
@lhupfeldt
Copy link
Contributor Author

Support for this flag should become part of the standard python hashlib module: python/cpython#16044

@lhupfeldt lhupfeldt mentioned this issue May 4, 2020
Merged
tk0miya added a commit that referenced this issue May 5, 2020
@tk0miya
Merge pull request #7614 from lhupfeldt/3.0.x
d670214 
md5 OpenSSL FIPS mode fix #7611
@tk0miya tk0miya added this to the 3.0.4 milestone May 5, 2020
@tk0miya tk0miya closed this as completed May 5, 2020
@stratakis
Copy link
Contributor

Noting here that as of Python 3.9, Python upstream supports the usedforsecurity=False keyword argument: python/cpython@7cad53e

@tk0miya tk0miya mentioned this issue May 21, 2020
Closed
@Martin-Rey Martin-Rey mentioned this issue Sep 7, 2020
Closed
@anastasia-lucas anastasia-lucas mentioned this issue Jul 19, 2021
Closed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 24, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type:bug
Projects
None yet
Milestone
3.0.4
Development

No branches or pull requests
3 participants
@tk0miya @lhupfeldt @stratakis