Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FIPS 140-2 support #2

Open
andrewegel opened this issue Jan 31, 2024 · 0 comments
Open

FIPS 140-2 support #2

andrewegel opened this issue Jan 31, 2024 · 0 comments

Comments

@andrewegel
Copy link

I ran this library in a FIPS enforced environment and ran into this exception:

lib/python3.10/site-packages/psycopg2_iam/__init__.py", line 43, in _get_bundle_cert
    if hashlib.md5(bundle).hexdigest() != self._get_ca_bundle_hash():
ValueError: [digital envelope routines] unsupported

I worked around it by downloading the CA cert myself and providing the sslrootcert option to the library's connection factory so this code path isn't hit.

However it would be good to update the code here to use a more cryptographically secure algorithm (such as sha512). Another way thats cheating a little bit, is to add usedforsecurity=False to the library call - Some details here:

https://docs.python.org/3/library/hashlib.html

Changed in version 3.9: All hashlib constructors take a keyword-only argument usedforsecurity with default value True. A false value allows the use of insecure and blocked hashing algorithms in restricted environments. False indicates that the hashing algorithm is not used in a security context, e.g. as a non-cryptographic one-way compression function.

Since this is validating a checksum of a file, rather than for a security context
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@andrewegel