Dynamic Linking of openssl 3.0.7 with Python 3.10.10 in FIPS mode

ssk199441 · June 6, 2023, 7:12pm

I am using my official docker alpine image where it contains openssl version 3.0.7 which was compiled to be on FIPS mode.

Now i want to make python 3.10/3.11 also in FIPS mode

I followed the below steps to make python in FIPS mode but it did not worked out

   "wget https://www.python.org/ftp/python/3.10.10/Python-3.10.10.tgz && tar -xvf Python-3.10.10.tgz",
        "cd Python-3.10.10",
        "export LD_LIBRARY_PATH=/usr/local/lib/:/usr/local/lib64/",
        "export OPENSSL_FIPS=1",
        "./configure --enable-shared --with-openssl-rpath=auto --with-ssl-default-suites=openssl",
        "make && make install",
        "python3 -m ensurepip --upgrade",
        "pip3 install --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host=files.pythonhosted.org  --upgrade pip setuptools",
        "pip3 install --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host=files.pythonhosted.org  wheel awscli retry requests datadog rich boto3 stomper websocket-client InquirerPy"

I am seeing the logs

checking for openssl/ssl.h in /usr/local/bin/openssl… no
checking whether compiling and linking against OpenSSL works… no
**checking for --with-openssl-rpath… **
checking whether OpenSSL provides required APIs… no
checking for --with-ssl-default-suites… python
checking for --with-builtin-hashlib-hashes… md5,sha1,sha256,sha512,sha3,blake2
checking for --with-experimental-isolated-subinterpreters… no

barry-scott · June 6, 2023, 11:17pm

When openssl headers and .so are not in the expected directories you will need to add options to ./configure to tell the build where they are.

zuhu2195 · June 6, 2023, 11:29pm

I guess your OpenSSL libs are not in standard library paths, you need to add the path where your OpenSSL libs are to —with-openssl option, like Barry mentioned. Check where your libssl.so and libcrypto.so are present , if they are not there then you need to build them yourself. I used two options while dynamically linking,

—with-openssl set to directory that contains header files and dlls, let’s say directory structure is as follows,

dlopenssl—>
—>Include/openssl —> header files
—>lib —> dlls

I set —with-openssl to dlopenssl and —with-openssl-rpath to dlopenssl/lib(these are not complete paths, you need to set complete ones in your case).

Topic		Replies	Views
On Windows how can we link to OpenSSL 1.0.2 (customized) version for Python 3.9.2 version Core Development	1	781	April 4, 2021
Build python3.11.5 with static openssl and libffi on centos7 Python Help build	9	2325	December 6, 2023
Dynamic Linking of OpenSSL Python Help build , help	11	2501	June 6, 2023
Python and OpenSSL FIPS mode Ideas	0	162	April 19, 2024
Python-3 with Openssl-3 FIPS enabled Python Help	8	5167	December 7, 2023

Dynamic Linking of openssl 3.0.7 with Python 3.10.10 in FIPS mode

Related Topics