Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

psycopg2.OperationalError: SSL error: disabled for FIPS #1170

Closed
paulbaby opened this issue Oct 19, 2020 · 5 comments
Closed

psycopg2.OperationalError: SSL error: disabled for FIPS #1170

paulbaby opened this issue Oct 19, 2020 · 5 comments

Comments

@paulbaby
Copy link

paulbaby commented Oct 19, 2020
edited by dvarrazzo
Loading

Getting the below error for a FIPS enabled RHEL8 machine.

import psycopg2
conn = psycopg2.connect(host=\<host-ip>, port = 5432, database=\<db-name>, user=\<db-user>, password=\<db-pwd>)
File "/opt/app-root/lib/python3.6/site-packages/psycopg2/__init__.py", line 127, in connect
    conn = _connect(dsn, connection_factory=connection_factory, **kwasync)
psycopg2.OperationalError: SSL error: disabled for FIPS
FATAL:  no pg_hba.conf entry for host "\<host-ip>", user "\<db-user>", database "\<db-name>", SSL off

Python 3.6.8 (default, Dec  5 2019, 15:45:45) 
[GCC 8.3.1 20191121 (Red Hat 8.3.1-5)] on linux

>>> psycopg2.__version__
'2.8.5 (dt dec pq3 ext lo64)'

>>>ssl.OPENSSL_VERSION
'OpenSSL 1.1.1c FIPS  28 May 2019'

pg_hba.conf have an entry
hostssl all all 0.0.0.0/0 md5

I have tried changing md5 to trust, but seeing the same issue.

Am able to connect to DB using psql

psql -h \<host-ip> -U \<db-user> -d \<db-name>
Password for user <db-user>: 
psql (11.9)
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.

Need some help here
TIA
@dvarrazzo
Copy link
Member

dvarrazzo commented Oct 19, 2020
edited
Loading

I dont know what is FIPS. Are you using psycopg2-binary?

@paulbaby
Copy link
Author

FIPS (Federal Information Processing Standards) are a set of standards that describe document processing, encryption algorithms and other information technology standards for use within non-military government agencies and by government contractors and vendors who work with the agencies.

We are using psycopg2-binary 2.8.5
md5 is not a secure hash algorithm as per FIPS standard. Do you know if the md5 hash algorithm is used cryptographically or not?

@dvarrazzo
Copy link
Member

If you are using psycopg2-binary then it is using its own version of libssl, which probably doesn't support FIPS.

Please use psycopg2 from source, which will use the same libssl used by psql, so it will be able to connect.

@paulbaby
Copy link
Author

@dvarrazzo
We changed to psycopg2 library and it's working now.
Thanks a lot for the help.

@dvarrazzo
Copy link
Member

I'm glad. I understand that you need to be pretty much in control of what libssl to use: for your use case you should probably stay away from psycopg2-binary because it comes with its own libssl version and it might not be what you need.

@davidkarlsen davidkarlsen mentioned this issue Feb 26, 2021
Closed
@bschollnick bschollnick mentioned this issue Dec 12, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dvarrazzo @paulbaby