Multiple Packages Failing - FIPS compatibility Issue?

I have a script that works fine on servers where FIPS is disabled. When running on a servers with FIPS enabled, I get the following -

    File "/tmp/", line 15, in <module>
    import ijson
  File "/usr/lib64/python3.6/site-packages/ijson/", line 36, in <module>
    backend = _default_backend()
  File "/usr/lib64/python3.6/site-packages/ijson/", line 32, in _default_backend
    return get_backend(backend)
  File "/usr/lib64/python3.6/site-packages/ijson/", line 24, in get_backend
    return importlib.import_module('ijson.backends.' + backend)
  File "/usr/lib64/python3.6/importlib/", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "/usr/lib64/python3.6/site-packages/ijson/backends/", line 61, in <module>
  File "/usr/lib64/python3.6/site-packages/cffi/", line 105, in cdef
    self._cdef(csource, override=override, packed=packed)
  File "/usr/lib64/python3.6/site-packages/cffi/", line 119, in _cdef
    self._parser.parse(csource, override=override, **options)
  File "/usr/lib64/python3.6/site-packages/cffi/", line 299, in parse
  File "/usr/lib64/python3.6/site-packages/cffi/", line 304, in _internal_parse
    ast, macros, csource = self._parse(csource)
  File "/usr/lib64/python3.6/site-packages/cffi/", line 260, in _parse
    ast = _get_parser().parse(csource)
  File "/usr/lib64/python3.6/site-packages/cffi/", line 40, in _get_parser
    _parser_cache = pycparser.CParser()
  File "/usr/lib/python3.6/site-packages/pycparser/", line 111, in __init__
  File "/usr/lib/python3.6/site-packages/ply/", line 3277, in yacc
    signature = pinfo.signature()
  File "/usr/lib/python3.6/site-packages/ply/", line 2979, in signature
    digest = base64.b16encode(sig.digest())
UnboundLocalError: local variable 'sig' referenced before assignment

I did change line 2966 of /usr/lib/python3.6/site-packages/ply/ from sig = md5() to sig = md5(usedforsecurity=False) but that did not help.

Python version is 3.6.8

Is there some way around these errors that I am missing?


According to

the usedforsecurity argument was first introduced in Python 3.9, so
unless someone backports that change to your 3.6 (maybe some distros
have done that, I don’t know) it’s not usable there.

RHEL 8 or equivalent by any chance?

You have to set a custom openssl policy to allow use of ciphers etc outside of the system crypto policy.
This can be done with environment variables. Or you turn down the crypto policy level globally on the system.

Thanks for the version comment. I didn’t catch the usedforsecurity was available from 3.9 on.

That explains why it did not work.

Have not made it to RHEL 8 yet. Still on 7.

I did find this Reworked signature code to not use digests or hashes. · dabeaz/ply@3335be2 · GitHub which fixed my problem.

Hopefully, at some point, we can get beyond version 3.6