Stackstorm failed to install on FIPS enabled env

srehubot · January 28, 2021, 7:38am

When installing stackstorm HA on OCP with FIPS enabled, we noticed below errors for most pods. Does Stackstorm support on FIPS enabled env? Any tip or guide for that? Thanks!

Traceback (most recent call last):
  File "/opt/stackstorm/st2/bin/st2auth", line 19, in <module>
    from st2auth.cmd.api import main
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2auth/cmd/api.py", line 23, in <module>
    from st2common.service_setup import setup as common_setup
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2common/service_setup.py", line 36, in <module>
    from st2common.util.debugging import enable_debugging
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2common/util/debugging.py", line 20, in <module>
    import paramiko
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/paramiko/__init__.py", line 22, in <module>
    from paramiko.transport import SecurityOptions, Transport
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/paramiko/transport.py", line 129, in <module>
    class Transport(threading.Thread, ClosingContextManager):
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/paramiko/transport.py", line 190, in Transport
    if KexCurve25519.is_available():
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/paramiko/kex_curve25519.py", line 30, in is_available
    X25519PrivateKey.generate()
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/cryptography/hazmat/primitives/asymmetric/x25519.py", line 44, in generate
    return backend.x25519_generate_key()
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 2227, in x25519_generate_key
    evp_pkey = self._evp_pkey_keygen_gc(self._lib.NID_X25519)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 2215, in _evp_pkey_keygen_gc
    self.openssl_assert(evp_pkey_ctx != self._ffi.NULL)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 131, in openssl_assert
    return binding._openssl_assert(self._lib, ok)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 78, in _openssl_assert
    errors_with_text
cryptography.exceptions.InternalError: Unknown OpenSSL error. This error is commonly encountered when another library is not cleaning up the OpenSSL error stack. If you are using cryptography with another library that uses OpenSSL try disabling it before reporting a bug. Otherwise please file an issue at https://github.com/pyca/cryptography/issues with information on how to reproduce this. ([_OpenSSLErrorWithText(code=101306568, lib=6, func=157, reason=200, reason_text=b'error:0609D0C8:digital envelope routines:int_ctx_new:disabled for FIPS')])

Carlos · January 28, 2021, 9:56am

StackStorm uses Paramiko under the hood. According to the comments in this RedHat bug report Paramiko is not a FIPS approved OpenSSH implementation.

You could open an issue on github to get a discussion underway with the developers, but the work to replace paramiko with a FIPS compliant solution will probably be quite involved. My guess is you’d need to engage a StackStorm partner to get the work done or do the development yourself.

srehubot · January 28, 2021, 10:11am

Thank you for your response.
Yes, I have opened an issue here for further discussion, expect it could be included in the stackstorm roadmap.