-
-
Notifications
You must be signed in to change notification settings - Fork 905
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips #1005
Comments
Hum, a similar case happened previously. For FIPS, md5 is not a good (/allowed) cryptographic primitive because it is weak. The problem, is that we are using md5 for differentiating files to be uploading for sync, but also for integrity check of transfer. The case of the FIPS is stupid because here the md5 is not used in a cryptographic context. For your case, your only solution would be to modify the source of s3cmd if you can't change your distribution/ssl library. If you want my opinion, what i have read is that it is stupid to use the FIPS version of openssl because you will get legacy versions... |
I had this issue with a python package that was using md5 for hashing identifiers. Specifically, it was Django when I was trying to migrate my database with Here is the command to do that if you don't want to dig through the file
This function is also found in the following file locations, but I would probably only change it if it causes an error.
I know this is somewhat unrelated to the question asked, but it is the first result on Google, and I wouldn't be surprised if it's the same or a similar issue here |
Sorry for a little bit of noise, but I have a blog post that's relevant to @aiskuld 's comment about patching hashlib: http://blog.serindu.com/2019/11/12/django-in-fips-mode/ I monkey-patch the appropriate Django packages at runtime so I can avoid a forked codebase. That approach should be useful for any other instance of needing to utilize libraries using blocked algorithms for non-security purposes while in FIPS mode. |
Issue is almost identical to s3tools/s3cmd#1005
Fixed, thanks to @maroth96 ! |
## Summary & Motivation For FIPS enabled systems the MD5 function is disabled in `openssl`. Since Dagster is using `hashlib.md5` in various locations (`dagster`, `dagster-dbt`, and `dagster-k8s`), on a FIPS enabled environment the UI will deliver the following error when trying to load the code location: ``` ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS File "/opt/dagster/app/venv/lib/python3.11/site-packages/dagster/_grpc/server.py", line 609, in _get_serialized_external_repository_data external_repository_data_from_def( File "/opt/dagster/app/venv/lib/python3.11/site-packages/dagster/_core/host_representation/external_data.py", line 1341, in external_repository_data_from_def asset_graph = external_asset_graph_from_defs( ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/dagster/app/venv/lib/python3.11/site-packages/dagster/_core/host_representation/external_data.py", line 1531, in external_asset_graph_from_defs atomic_execution_unit_id = assets_def.unique_id ^^^^^^^^^^^^^^^^^^^^ File "/opt/dagster/app/venv/lib/python3.11/site-packages/dagster/_core/definitions/assets.py", line 1254, in unique_id return hashlib.md5((json.dumps(sorted(self.keys))).encode("utf-8")).hexdigest() ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ``` A web search [indicates](s3tools/s3cmd#1005) that flagging such `hashlib.md5` uses with the `usedforsecurity=False` parameter will resolve this error. As far as I can ascertain, each of the modified usages are indeed NOT used for the security of the md5 algorithm but instead used to determine the uniqueness of the item(s) being hashed. If this is not the case, my PR will need to be corrected. ## How I Tested These Changes I have deployed these changes on my own companies FIPS-enabled, k8s-based systems and seen the error resolved.
## Summary & Motivation For FIPS enabled systems the MD5 function is disabled in `openssl`. Since Dagster is using `hashlib.md5` in various locations (`dagster`, `dagster-dbt`, and `dagster-k8s`), on a FIPS enabled environment the UI will deliver the following error when trying to load the code location: ``` ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS File "/opt/dagster/app/venv/lib/python3.11/site-packages/dagster/_grpc/server.py", line 609, in _get_serialized_external_repository_data external_repository_data_from_def( File "/opt/dagster/app/venv/lib/python3.11/site-packages/dagster/_core/host_representation/external_data.py", line 1341, in external_repository_data_from_def asset_graph = external_asset_graph_from_defs( ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/dagster/app/venv/lib/python3.11/site-packages/dagster/_core/host_representation/external_data.py", line 1531, in external_asset_graph_from_defs atomic_execution_unit_id = assets_def.unique_id ^^^^^^^^^^^^^^^^^^^^ File "/opt/dagster/app/venv/lib/python3.11/site-packages/dagster/_core/definitions/assets.py", line 1254, in unique_id return hashlib.md5((json.dumps(sorted(self.keys))).encode("utf-8")).hexdigest() ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ``` A web search [indicates](s3tools/s3cmd#1005) that flagging such `hashlib.md5` uses with the `usedforsecurity=False` parameter will resolve this error. As far as I can ascertain, each of the modified usages are indeed NOT used for the security of the md5 algorithm but instead used to determine the uniqueness of the item(s) being hashed. If this is not the case, my PR will need to be corrected. ## How I Tested These Changes I have deployed these changes on my own companies FIPS-enabled, k8s-based systems and seen the error resolved.
I am trying to use s3cmd on CentOs 7.5 , and it works fine with $s3cmd ls s3://alpha-team-share/chefprod
but when uploading:
s3cmd put backup_chef_2018-09-26-133542.tar.gz s3://alpha-team-share/chefprod
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
An unexpected error has occurred.
Please try reproducing the error using
the latest s3cmd code from the git master
branch found at:
https://github.com/s3tools/s3cmd
and have a look at the known issues list:
https://github.com/s3tools/s3cmd/wiki/Common-known-issues-and-their-solutions
If the error persists, please report the
following lines (removing any private
info as necessary) to:
[email protected]
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Invoked as: /bin/s3cmd put backup_chef_2018-09-26-133542.tar.gz s3://alpha-team-share/chefprod
Problem: ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
S3cmd: 2.0.2
python: 2.7.5 (default, May 31 2018, 09:41:32)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]
environment LANG=en_US.UTF-8
Traceback (most recent call last):
File "/bin/s3cmd", line 3092, in
rc = main()
File "/bin/s3cmd", line 3001, in main
rc = cmd_func(args)
File "/bin/s3cmd", line 369, in cmd_object_put
local_list, single_file_local, exclude_list, total_size_local = fetch_local_list(args, is_src = True)
File "/usr/lib/python2.7/site-packages/S3/FileLists.py", line 352, in fetch_local_list
total_size = _fetch_local_list_info(local_list)
File "/usr/lib/python2.7/site-packages/S3/FileLists.py", line 231, in _fetch_local_list_info
md5 = loc_list.get_md5(relative_file) # this does the file I/O
File "/usr/lib/python2.7/site-packages/S3/FileDict.py", line 48, in get_md5
md5 = Utils.hash_file_md5(self[relative_file]['full_name'])
File "/usr/lib/python2.7/site-packages/S3/Utils.py", line 260, in hash_file_md5
h = md5()
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
An unexpected error has occurred.
Please try reproducing the error using
the latest s3cmd code from the git master
branch found at:
https://github.com/s3tools/s3cmd
and have a look at the known issues list:
https://github.com/s3tools/s3cmd/wiki/Common-known-issues-and-their-solutions
If the error persists, please report the
above lines (removing any private
info as necessary) to:
[email protected]
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
i tried with disabeling md5, same error:
s3cmd put backup_chef_2018-09-26-133542.tar.gz --no-check-md5 s3://alpha-team-share/chefprod
upload: 'backup_chef_2018-09-26-133542.tar.gz' -> 's3://alpha-team-share/chefprod' [part 1 of 14, 15MB] [1 of 1]
ERROR:
Upload of 'backup_chef_2018-09-26-133542.tar.gz' part 1 failed. Use
/bin/s3cmd abortmp s3://alpha-team-share/chefprod A0JRa0hmeyBjBcie3VEDFl_bHhjEkhDGr2nJCO095X0UmGmuFYR7n1mKEDtN2km.CrToyN6OhLdRVFtiW7AqmxHNPs_uhNzESzEO_M3xM6
to abort the upload, or
/bin/s3cmd --upload-id A0JRa0hmeyBjBcie3VEDFl_bHhjEkhDGr2nJCO095X0UmGmuFYR7n1mKEDtN2km.CrToyN6OhLdRVFtiW7AqmxHNPs_uhNzESzEO_M3xM6 put ...
to continue the upload.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
An unexpected error has occurred.
Please try reproducing the error using
the latest s3cmd code from the git master
branch found at:
https://github.com/s3tools/s3cmd
and have a look at the known issues list:
https://github.com/s3tools/s3cmd/wiki/Common-known-issues-and-their-solutions
If the error persists, please report the
following lines (removing any private
info as necessary) to:
[email protected]
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Invoked as: /bin/s3cmd put backup_chef_2018-09-26-133542.tar.gz --no-check-md5 s3://alpha-team-share/chefprod
Problem: ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
S3cmd: 2.0.2
python: 2.7.5 (default, May 31 2018, 09:41:32)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]
environment LANG=en_US.UTF-8
Traceback (most recent call last):
File "/bin/s3cmd", line 3092, in
rc = main()
File "/bin/s3cmd", line 3001, in main
rc = cmd_func(args)
File "/bin/s3cmd", line 421, in cmd_object_put
response = s3.object_put(full_name, uri_final, extra_headers, extra_label = seq_label)
File "/usr/lib/python2.7/site-packages/S3/S3.py", line 677, in object_put
return self.send_file_multipart(src_stream, headers, uri, size, extra_label)
File "/usr/lib/python2.7/site-packages/S3/S3.py", line 1603, in send_file_multipart
upload.upload_all_parts(extra_label)
File "/usr/lib/python2.7/site-packages/S3/MultiPart.py", line 119, in upload_all_parts
self.upload_part(seq, offset, current_chunk_size, labels, remote_status = remote_statuses.get(seq))
File "/usr/lib/python2.7/site-packages/S3/MultiPart.py", line 176, in upload_part
response = self.s3.send_file(request, self.file_stream, labels, buffer, offset = offset, chunk_size = chunk_size)
File "/usr/lib/python2.7/site-packages/S3/S3.py", line 1417, in send_file
md5_hash = md5()
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
An unexpected error has occurred.
Please try reproducing the error using
the latest s3cmd code from the git master
branch found at:
https://github.com/s3tools/s3cmd
and have a look at the known issues list:
https://github.com/s3tools/s3cmd/wiki/Common-known-issues-and-their-solutions
If the error persists, please report the
above lines (removing any private
info as necessary) to:
[email protected]
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
The text was updated successfully, but these errors were encountered: