- Does Python use Open SSL that is installed in the host VM/container? If yes, then, is it fine if we enable the FIPS mode on "ssl" package and assume FIPS compliance? Code sample from https://stackoverflow.com/a/49382743/794242
#!/usr/bin/env python3
import sys
import ssl
import ctypes
libcrypto = ctypes.CDLL("libcrypto.so.1.0.0")
fips_mode = libcrypto.FIPS_mode
fips_mode.argtypes = []
fips_mode.restype = ctypes.c_int
fips_mode_set = libcrypto.FIPS_mode_set
fips_mode_set.argtypes = [ctypes.c_int]
fips_mode_set.restype = ctypes.c_int
The FIPS validation certificates of https://www.openssl.org/docs/fips.html seems to be for 1.0.2 which EOL and even validation certs are marked as "Historical"
As per https://www.suse.com/support/security/certifications/, SUSE Linux Enterprise Server 15 SP2 is FIPS validated. So, if I create a docker container using https://registry.suse.com/static/suse/sle15sp2/index.html and install Python 3 on it, and set the FIPS mode on using above code -- will it be safe to assume that Python program will be FIPS compliant for the part where it hosts a HTTPS server or calls other APIs by acting as HTTPS client?
I did create a docker container using the SLES image and a naive test reveals that it complains about md5 if OPENSSL_FIPS is set to 1. Is this good enough indicator that the OpenSSL in this image is FIPS compliant apart from the fact that SUSE says their distribution is FIPS validated.
docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cbd95e6d3253 registry.suse.com/suse/sle15:15.2 "/bin/bash" 4 hours ago Up About an hour sles15.2
docker exec -it sles15.2 /bin/sh
sh-4.4# openssl version
OpenSSL 1.1.1d 10 Sep 2019
sh-4.4# OPENSSL_FIPS=1 openssl md5 /dev/null
md5 is not a known digest
