Proposal:

Currently, we have a bit of different messages when a hash algorithm is not supported. It's annoying because the user does not necessarily know what is what. Also, unfortunately, since OpenSSL 3.0, when a digest is not supported by the FIPS provider, then the reason message only contains "ValueError: [digital envelope routines] unsupported" and not the old "ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS" as functions are now no more indicated in OpenSSL errors.

This is a bit annoying, and especially very confusing in the following cases:

>>>_hashlib.openssl_md5()Traceback (mostrecentcalllast):File"<python-input-5>",line1,in<module>_hashlib.openssl_md5()~~~~~~~~~~~~~~~~~~~~^^_hashlib.UnsupportedDigestmodError: [digitalenveloperoutines]unsupported>>>importhmac>>>hmac.new(b"",b"","shake_128")...ValueError:errorinOpenSSLfunctionHMAC_Init_ex()

This does not give any information of why it failed. So we need to be better here, for the user at least. On the other hand, with blocked built-in functions, the ValueError is raised by__get_builtin_constructor, which has a better message.

Has this already been discussed elsewhere?

No response given

Links to previous discussion of this feature:

No response

Linked PRs

• gh-136787: raise consistent ValueError for bad hashes #136802