requests icon indicating copy to clipboard operation
requests copied to clipboard
verified publisher icon psf

Change auth.py to be used in a FIPS system

Open Jose-albino opened this issue 1 year ago • 5 comments

Expected Result

Using the requests to perform a HTTPS action is working in a FIPS environment

Actual Result

In UNIX environment with fips enabled the MD5 can't be used. It provides this error

ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS

Solution

Apply this patch in auth.py

`

*** 145,151 **** def md5_utf8(x): if isinstance(x, str): x = x.encode("utf-8") ! return hashlib.md5(x).hexdigest()
hash_utf8 = md5_utf8 elif _algorithm == "SHA": --- 145,151 ---- def md5_utf8(x): if isinstance(x, str): x = x.encode("utf-8") ! return hashlib.md5(x,usedforsecurity=False).hexdigest() hash_utf8 = md5_utf8 elif _algorithm == "SHA":

`

Jose-albino avatar Oct 18 '24 10:10 Jose-albino

Could I work on this ticket ? The usedforsecurity parameter is only available in python >= 3.9. Plan is to set usedforsecurity to True only if python version >= 3.9.

SeJunB avatar Nov 06 '24 16:11 SeJunB

that seems ok for me. We use already python 3.10/3.11 in our environment and i believe most cases also

Jose-albino avatar Nov 29 '24 14:11 Jose-albino

We support all supported Python versions, which still includes 3.9

sigmavirus24 avatar Nov 29 '24 15:11 sigmavirus24

After giving this a thought, I am hesitant on adding the usedforsecurity attribute to MD5 in the HTTPDigestAuth class for the following reasons:

  1. Security Documentation Conflict
  • The hashlib documentation explicitly states that usedforsecurity should only be used in non-security contexts. Adding this attribute to HTTPDigestAuth would directly contradict this guidance.
  • RFC 7616 does not recommend MD5 as a secure hashing algorithm for digest authentication.
  1. FIPS Compliance and Compatibility Risks
  • Setting usedforsecurity=False could inadvertently enable MD5-based HTTPDigestAuthentication in environments and could cause trouble for any users using requests in a FIPS environment.

Recommendation:

  • Close this issue
  • For teams requiring this specific configuration, recommend forking and maintaining a custom patched version
  • Encourage migration to more secure hashing algorithms (e.g., SHA)

In my experience working with customers requiring FIPS compliance, they typically prefer upgrading to more secure authentication methods rather than maintaining legacy MD5-based approaches.

SeJunB avatar Nov 29 '24 18:11 SeJunB

I get errors running the tests with FIPS enabled. Maybe it would be good to automatically skip the tests which depend on md5.

RossComputerGuy avatar Oct 10 '25 16:10 RossComputerGuy