apm-agent-python icon indicating copy to clipboard operation
apm-agent-python copied to clipboard
verified publisher icon elastic

apm agent fails in a FIPS enabled host

Open adumont opened this issue 1 year ago • 1 comments

``We are running a webapp on Azure, which uses Elastic APM (elastic-apm==6.23.0). Since 08/29/2024, without changing anything our app is failing to run, with:

crypto/fips/fips.c:154: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE
Aborted (core dumped)

We noticed the Azure webapp environment (linux) now has the following kernel parameter:

# sysctl crypto.fips_enabled
crypto.fips_enabled = 1

To Reproduce

# python
Python 3.12.2 (main, Feb 22 2024, 11:15:41) [GCC 10.2.1 20210110] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import elasticapm
>>> apm=elasticapm.Client()
>>> elasticapm.instrument()
crypto/fips/fips.c:154: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE
Aborted (core dumped)
#

Environment (please complete the following information)

  • OS: Linux hostname 5.15.164.1-1.cm2 #1 SMP Sun Aug 18 19:16:21 UTC 2024 x86_64 GNU/Linux
  • Python version: 3.12
  • APM Server version: unrelevant, it fail before even connecting (no need to have an APM server to test it)
  • Agent version: 6.23.0

Additional context

(antenv) root@aiops-dev_0ac897ce81:/tmp/8dccb366a943910# python
Python 3.12.2 (main, Feb 22 2024, 11:15:41) [GCC 10.2.1 20210110] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import elasticapm
>>> apm=elasticapm.Client()
>>> elasticapm.instrument()
crypto/fips/fips.c:154: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE
Aborted (core dumped)
(antenv) root@aiops-dev_0ac897ce81:/tmp/8dccb366a943910# 


Linux aiops-dev_0ac897ce81 5.15.164.1-1.cm2 #1 SMP Sun Aug 18 19:16:21 UTC 2024 x86_64 GNU/Linux

(antenv) root@aiops-dev_0ac897ce81:/tmp/8dccb366a943910# sysctl crypto.fips_enabled
crypto.fips_enabled = 1

elastic-apm==6.23.0

(antenv) root@aiops-dev_0ac897ce81:/tmp/8dccb366a943910# python -V
Python 3.12.2

See attached file for detail about installed packages in the OS and version, as well as a detailled dump of the system calls.

issue.txt

adumont avatar Sep 02 '24 11:09 adumont

Thanks for reporting. Could you please run this script and see if it works? Trying to understand what python module may use something that is not fips friendly.

import socket
import ssl

hostname = 'www.python.org'
context = ssl.create_default_context()

with socket.create_connection((hostname, 443)) as sock:
    with context.wrap_socket(sock, server_hostname=hostname) as ssock:
        print(ssock.version())

xrmx avatar Sep 03 '24 09:09 xrmx