[3.11] gh-118224: Load default OpenSSL provider for nonsecurity algorithms (GH-118236) by xnox · Pull Request #118239 · python/cpython
Conversation
When OpenSSL is configured to only load "base+fips" providers into the Null library context, md5 might not be available at all. In such cases currently CPython fallsback to internal hashlib implementation is there is one - as there might not be if one compiles python with --with-builtin-hashlib-hashes=blake2. With this change "default" provider is attempted to be loaded to access nonsecurity hashes.
… algorithms When OpenSSL is configured to only load "base+fips" providers into the Null library context, md5 might not be available at all. In such cases currently CPython fallsback to internal hashlib implementation is there is one - as there might not be if one compiles python with --with-builtin-hashlib-hashes=blake2. With this change "default" provider is attempted to be loaded to access nonsecurity hashes.
Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.
If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.
This is not fixing a security issue, so it should not be backported to 3.11.
In general, please only open backport PRs after the main one is merged.
This is not fixing a security issue, so it should not be backported to 3.11. In general, please only open backport PRs after the main one is merged.
It is FedRAMP/FIPS compliance by-pass. This issue may allow using md5 without specifying "useforsecurity=False" on systems otherwise configured to be in FIPS-mode only. And is the primary reason why documentation mentions that certain distributions of python remove md5 module altogether.
Sure will wait for the main one to be merged.
Labels
2 participants
