OPENSSL_FORCE_FIPS_MODE set to "0" or even "" (any non-NULL value) activates FIPS mode. This can cause an abort() in many non-FIPS environments due to FIPS SELFTEST FAILURE.

What were you trying to do that didn't work?

While not representative of this whole bug, this is what led to its discovery:

pip install opencv-python-headless==4.13.0.90  # latest

python3 -c "import cv2"

crypto/fips/fips.c:154: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE
Aborted (core dumped)

opencv-python(-headless) bundles its own libcrypto module (1.1.1k), and this was in an environment that has OPENSSL_FORCE_FIPS_MODE="0" set by default (with no /proc/sys/crypto/fips_enabled present).

What is the impact of this issue to you?

Customers running their jobs in common execution environments (Databricks Runtime) hit the above FIPS SELFTEST FAILURE (abort) when attempting to use our library.

For context, setting OPENSSL_FORCE_FIPS_MODE="0" is a suggested workaround for a Ubuntu bug, and has been incorporated into Databricks images:

https://github.com/databricks/containers/blob/21d4581b84962a8794c389a4d4271e615af7d7ee/ubuntu/minimal/Dockerfile#L7

Please provide the package NVR for which the bug is seen:

As recent as openssl-libs-1:3.5.1-5.el10_1.x86_64 in UBI 10.

However, the bug was initially observed in a bundled libcrypto.so built from Red Hat-patched OpenSSL 1.1.1k sources (build date: Oct 9 2024). The library is currently distributed inside the opencv-python and opencv-python-headless PyPI packages.

How reproducible is this bug?:

Always.

Steps to reproduce

1. docker run --rm redhat/ubi10:latest sh -c 'dnf install -yq openssl; echo "With OPENSSL_FORCE_FIPS_MODE=0:"; OPENSSL_FORCE_FIPS_MODE=0 openssl list -providers; echo; echo "Without:"; openssl list -providers'

Expected results

With OPENSSL_FORCE_FIPS_MODE=0:
Providers:
  default
    name: OpenSSL Default Provider
    version: 3.5.1
    status: active

Without:
Providers:
  default
    name: OpenSSL Default Provider
    version: 3.5.1
    status: active

Actual results

With OPENSSL_FORCE_FIPS_MODE=0:
Providers:
  base
    name: OpenSSL Base Provider
    version: 3.5.1
    status: active
  default
    name: OpenSSL Default Provider
    version: 3.5.1
    status: active
  fips
    name: Red Hat Enterprise Linux 9 - OpenSSL FIPS Provider
    version: 3.0.7-395c1a240fbfffd8
    status: active

Without:
Providers:
  default
    name: OpenSSL Default Provider
    version: 3.5.1
    status: active

Source Code Links

Below are links to the specific lines causing the issue in c10s, c9s, and c8s:

https://gitlab.com/redhat/centos-stream/rpms/openssl/-/blob/c10s/0008-RH-Add-Kernel-FIPS-mode-flag-support-FIXSTYLE.patch#L47

https://gitlab.com/redhat/centos-stream/rpms/openssl/-/blob/c9s/0008-RH-Add-Kernel-FIPS-mode-flag-support-FIXSTYLE.patch#L47

https://gitlab.com/redhat/centos-stream/rpms/openssl/-/blob/c8s/openssl-1.1.1-fips.patch#L9641