Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

[3.11] gh-118224: Load default OpenSSL provider for nonsecurity algorithms (GH-118236)#118239

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Closed
xnox wants to merge2 commits intopython:3.11fromxnox:3.11-fix-nodefault-md5

Conversation

xnox
Copy link

@xnoxxnox commentedApr 24, 2024
edited by bedevere-appbot
Loading

When OpenSSL is configured to only load "base+fips" providers into the Null library context, md5 might not be available at all. In such cases currently CPython fallsback to internal hashlib implementation is there is one - as there might not be if one compiles python with --with-builtin-hashlib-hashes=blake2. With this change "default" provider is attempted to be loaded to access nonsecurity hashes.

… algorithmsWhen OpenSSL is configured to only load "base+fips" providers into theNull library context, md5 might not be available at all. In such casescurrently CPython fallsback to internal hashlib implementation isthere is one - as there might not be if one compiles python with--with-builtin-hashlib-hashes=blake2. With this change "default"provider is attempted to be loaded to access nonsecurity hashes.
@bedevere-app
Copy link

Most changes to Pythonrequire a NEWS entry. Add one using theblurb_it web app or theblurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply theskip news label instead.

@xnoxxnoxforce-pushed the3.11-fix-nodefault-md5 branch fromec55dc6 to15b95f2CompareApril 24, 2024 22:42
@encukou
Copy link
Member

This is not fixing a security issue, so it should not be backported to 3.11.
In general, please only open backport PRs after the main one is merged.

@encukouencukou closed thisMay 7, 2024
@xnox
Copy link
Author

xnox commentedMay 7, 2024

This is not fixing a security issue, so it should not be backported to 3.11. In general, please only open backport PRs after the main one is merged.

It is FedRAMP/FIPS compliance by-pass. This issue may allow using md5 without specifying "useforsecurity=False" on systems otherwise configured to be in FIPS-mode only. And is the primary reason why documentation mentions that certain distributions of python remove md5 module altogether.

Sure will wait for the main one to be merged.

Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

2 participants
@xnox@encukou
[8]ページ先頭
©2009-2025 Movatter.jp