Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

apm agent fails in a FIPS enabled host #2115

Open
adumont opened this issue Sep 2, 2024 · 1 comment
Open

apm agent fails in a FIPS enabled host #2115

adumont opened this issue Sep 2, 2024 · 1 comment
Labels
agent-python community Issues opened by the community triage Issues awaiting triage

Comments

@adumont
Copy link

adumont commented Sep 2, 2024

``We are running a webapp on Azure, which uses Elastic APM (elastic-apm==6.23.0). Since 08/29/2024, without changing anything our app is failing to run, with:

crypto/fips/fips.c:154: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE
Aborted (core dumped)

We noticed the Azure webapp environment (linux) now has the following kernel parameter:

# sysctl crypto.fips_enabled
crypto.fips_enabled = 1

To Reproduce

# python
Python 3.12.2 (main, Feb 22 2024, 11:15:41) [GCC 10.2.1 20210110] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import elasticapm
>>> apm=elasticapm.Client()
>>> elasticapm.instrument()
crypto/fips/fips.c:154: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE
Aborted (core dumped)
#

Environment (please complete the following information)

  • OS: Linux hostname 5.15.164.1-1.cm2 Update copyright in LICENSE #1 SMP Sun Aug 18 19:16:21 UTC 2024 x86_64 GNU/Linux
  • Python version: 3.12
  • APM Server version: unrelevant, it fail before even connecting (no need to have an APM server to test it)
  • Agent version: 6.23.0

Additional context

(antenv) root@aiops-dev_0ac897ce81:/tmp/8dccb366a943910# python
Python 3.12.2 (main, Feb 22 2024, 11:15:41) [GCC 10.2.1 20210110] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import elasticapm
>>> apm=elasticapm.Client()
>>> elasticapm.instrument()
crypto/fips/fips.c:154: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE
Aborted (core dumped)
(antenv) root@aiops-dev_0ac897ce81:/tmp/8dccb366a943910# 


Linux aiops-dev_0ac897ce81 5.15.164.1-1.cm2 #1 SMP Sun Aug 18 19:16:21 UTC 2024 x86_64 GNU/Linux

(antenv) root@aiops-dev_0ac897ce81:/tmp/8dccb366a943910# sysctl crypto.fips_enabled
crypto.fips_enabled = 1

elastic-apm==6.23.0

(antenv) root@aiops-dev_0ac897ce81:/tmp/8dccb366a943910# python -V
Python 3.12.2

See attached file for detail about installed packages in the OS and version, as well as a detailled dump of the system calls.

issue.txt
@github-actions github-actions bot added agent-python community Issues opened by the community triage Issues awaiting triage labels Sep 2, 2024
@xrmx
Copy link
Member

xrmx commented Sep 3, 2024
edited
Loading

Thanks for reporting. Could you please run this script and see if it works? Trying to understand what python module may use something that is not fips friendly.

import socket
import ssl

hostname = 'www.python.org'
context = ssl.create_default_context()

with socket.create_connection((hostname, 443)) as sock:
    with context.wrap_socket(sock, server_hostname=hostname) as ssock:
        print(ssock.version())

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
agent-python community Issues opened by the community triage Issues awaiting triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xrmx @adumont