search

elastic / apm-agent-python

https://www.elastic.co/guide/en/apm/agent/python/current/index.html
BSD 3-Clause "New" or "Revised" License
413 stars 219 forks source link

apm agent fails in a FIPS enabled host #2115

Open adumont opened 2 months ago

adumont commented 2 months ago

``We are running a webapp on Azure, which uses Elastic APM (elastic-apm==6.23.0). Since 08/29/2024, without changing anything our app is failing to run, with:

crypto/fips/fips.c:154: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE
Aborted (core dumped)

We noticed the Azure webapp environment (linux) now has the following kernel parameter:

# sysctl crypto.fips_enabled
crypto.fips_enabled = 1

To Reproduce

# python
Python 3.12.2 (main, Feb 22 2024, 11:15:41) [GCC 10.2.1 20210110] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import elasticapm
>>> apm=elasticapm.Client()
>>> elasticapm.instrument()
crypto/fips/fips.c:154: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE
Aborted (core dumped)
#

Environment (please complete the following information)

Additional context

(antenv) root@aiops-dev_0ac897ce81:/tmp/8dccb366a943910# python
Python 3.12.2 (main, Feb 22 2024, 11:15:41) [GCC 10.2.1 20210110] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import elasticapm
>>> apm=elasticapm.Client()
>>> elasticapm.instrument()
crypto/fips/fips.c:154: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE
Aborted (core dumped)
(antenv) root@aiops-dev_0ac897ce81:/tmp/8dccb366a943910# 

Linux aiops-dev_0ac897ce81 5.15.164.1-1.cm2 #1 SMP Sun Aug 18 19:16:21 UTC 2024 x86_64 GNU/Linux

(antenv) root@aiops-dev_0ac897ce81:/tmp/8dccb366a943910# sysctl crypto.fips_enabled
crypto.fips_enabled = 1

elastic-apm==6.23.0

(antenv) root@aiops-dev_0ac897ce81:/tmp/8dccb366a943910# python -V
Python 3.12.2

See attached file for detail about installed packages in the OS and version, as well as a detailled dump of the system calls.

issue.txt

xrmx commented 2 months ago

Thanks for reporting. Could you please run this script and see if it works? Trying to understand what python module may use something that is not fips friendly.

import socket
import ssl

hostname = 'www.python.org'
context = ssl.create_default_context()

with socket.create_connection((hostname, 443)) as sock:
    with context.wrap_socket(sock, server_hostname=hostname) as ssock:
        print(ssock.version())