gh-118224: Load default OpenSSL provider for nonsecurity algorithms by xnox · Pull Request #118236 · python/cpython
When OpenSSL is configured to only load "base+fips" providers into the Null library context, md5 might not be available at all. In such cases currently CPython fallsback to internal hashlib implementation is there is one - as there might not be if one compiles python with --with-builtin-hashlib-hashes=blake2. With this change "default" provider is attempted to be loaded to access nonsecurity hashes.
It is FedRAMP/FIPS compliance by-pass. This issue may allow using md5 without specifying "usedforsecurity=False" on systems otherwise configured to be in FIPS-mode only. And is the primary reason why documentation mentions that certain distributions of python remove md5 module altogether.
…thms When OpenSSL is configured to only load "base+fips" providers into the Null library context, md5 might not be available at all. In such cases currently CPython fallsback to internal hashlib implementation is there is one - as there might not be if one compiles python with --with-builtin-hashlib-hashes=blake2. With this change "default" provider is attempted to be loaded to access nonsecurity hashes.
All commit authors signed the Contributor License Agreement.
Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.
If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.
note, the up to date re-runs of actions are all passing on this pull request.
and rewrote all commits in all branches/backports.
Did you do a rebase or delete the old branch? Because I can't find that commit.
Is double-backticks appropriate formatting
Looks like it, '``--[^\`]+``' is used 294 times, and '``--[^\`]+=[^\`]+``' 25 times.
maybe the blurb-it service needs pre-commit checking / checks for single backticks.
Yeah, I was thinking that too.
and rewrote all commits in all branches/backports.
Did you do a rebase or delete the old branch? Because I can't find that commit.
rebase, all commits are documented in this PR. If you use web-ui or extensive API, you can see these mentions:
@xnox xnox force-pushed the fix-nodefault-md5 branch from 7a5adff to 092ab97
2 weeks ago
@xnox force-pushed the fix-nodefault-md5 branch from 092ab97 to a47a53f
2 weeks ago
You can click on those commits to still see them dangling and not part of any branch or pull request.
7a5adff was the blurb-it service generated entry.
a47a53f is the current state of this pull request, which was fixed-up with double backticks.