[Cryptography-dev] build. cryptography with fips openssl and enable fips mode

Krishna Kumar krishnamnnit11 at gmail.com
Thu Jan 10 18:35:43 EST 2019 

Hi

I am new to python and I am trying to run mitmproxy <https://mitmproxy.org/>in
fips mode. It uses cryptography
<https://github.com/mitmproxy/mitmproxy/issues/1808>.  Since its built on
top of python i thought we need to make my python use fips openssl and
enable fips mode in it.

I compiled python 3.6 against fips openssl and along with exposing
functions to enabled fips mode in it as explained here
<https://stackoverflow.com/questions/49493537/how-to-implement-fips-mode-and-fips-mode-set-in-python-3-6s-ssl-module>
.

Python shows that it uses fips openssl

nsroot at Egress-1:~/openssl$ python3
Python 3.6.4 (default, Jan 10 2019, 21:10:38)
[GCC 5.4.0 20160609] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl
>>> ssl.OPENSSL_VERSION
*'OpenSSL 1.0.2q-fips  20 Nov 2018'*

But when i do following i see different version

nsroot at Egress-1:~/python$ python3
Python 3.6.4 (default, Jan 10 2019, 21:10:38)
[GCC 5.4.0 20160609] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from OpenSSL import SSL
>>> print("OpenSSL:
{}".format(SSL.SSLeay_version(SSL.SSLEAY_VERSION).decode()),)
*OpenSSL:   OpenSSL 1.1.0j  20 Nov 2018*

So i guess i am getting different version because cryptography comes with
its own version of openssl as mentioned here
https://cryptography.io/en/latest/installation/#using-your-own-openssl-on-linux

Looking at the documentation it looks like its tested with fips openssl
https://cryptography.io/en/latest/installation/#supported-platforms.

The link
<https://cryptography.io/en/latest/installation/#using-your-own-openssl-on-linux>
doesn't explain in detail how we can compile cryptography step by step with
any custom openssl here in my case with fips openssl. Is there any other
link or documentation which i can follow to compile cryptography against
fips openssl? Any help is appreciated.

Also once its compiled against fips openssl how do we enable fips mode in
it. Openssl documentation says the application should call FIPS_mode_set()
to be really in FIPS mode. How do we do it for the openssl used by
cryptography so that the application mitmproxy uses FIPS crypto.

Thanks
Krishna kumar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20190110/5d6fb2c7/attachment.html>

More information about the Cryptography-dev mailing list