[3.10] gh-118224: Load default OpenSSL provider for nonsecurity algorithms (GH-118236) #118240
Conversation
… algorithms When OpenSSL is configured to only load "base+fips" providers into the Null library context, md5 might not be available at all. In such cases currently CPython fallsback to internal hashlib implementation is there is one - as there might not be if one compiles python with --with-builtin-hashlib-hashes=blake2. With this change "default" provider is attempted to be loaded to access nonsecurity hashes.
|
Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool. If this change has little impact on Python users, wait for a maintainer to apply the |
xnox
force-pushed
the
3.10-fix-nodefault-md5
branch
from
8b7f611
to
f524cb5
Compare
|
The Ubuntu x OpenSSL 3.1.3 pipeline failure is false negative, fix for said pipeline is in #118262 |
|
This is not fixing a security issue, so it should not be backported to 3.10. |
It is FedRAMP/FIPS compliance by-pass. This issue may allow using md5 without specifying "useforsecurity=False" on systems otherwise configured to be in FIPS-mode only. And is the primary reason why documentation mentions that certain distributions of python remove md5 module altogether. Re about merge sequence, sure, will wait until main one is merged. |
When OpenSSL is configured to only load "base+fips" providers into the Null library context, md5 might not be available at all. In such cases currently CPython fallsback to internal hashlib implementation is there is one - as there might not be if one compiles python with --with-builtin-hashlib-hashes=blake2. With this change "default" provider is attempted to be loaded to access nonsecurity hashes.