1

I am trying to install packages with PIP on a newly created RHEL 8 server, with FIPS enabled and running openssl 1.1.1k, and am getting an error about a bad dh value.

pip3 install --trusted-host pypi.python.org --trusted-host pypi.org --trusted-host files.pythonhosted.org jupyterlab_widgets ipyleaflet
Collecting jupyterlab_widgets
  Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, '[SSL: BAD_AUTHENTICATION_TYPE] bad dh value (_ssl.c:897)'),)': /simple/jupyterlab-widgets/
  Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, '[SSL: BAD_AUTHENTICATION_TYPE] bad dh value (_ssl.c:897)'),)': /simple/jupyterlab-widgets/
  Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, '[SSL: BAD_AUTHENTICATION_TYPE] bad dh value (_ssl.c:897)'),)': /simple/jupyterlab-widgets/
  Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, '[SSL: BAD_AUTHENTICATION_TYPE] bad dh value (_ssl.c:897)'),)': /simple/jupyterlab-widgets/
  Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, '[SSL: BAD_AUTHENTICATION_TYPE] bad dh value (_ssl.c:897)'),)': /simple/jupyterlab-widgets/
  Could not fetch URL https://pypi.python.org/simple/jupyterlab-widgets/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.python.org', port=443): Max retries exceeded with url: /simple/jupyterlab-widgets/ (Caused by SSLError(SSLError(1, '[SSL: BAD_AUTHENTICATION_TYPE] bad dh value (_ssl.c:897)'),)) - skipping

What is interesting, is if I downgrade my version of openssl from 1.1.1k to 1.1.1c, then it works without issue.

RedHat lists a known issue saying:

OpenSSL in FIPS mode accepts only specific D-H parameters

In FIPS mode, Transport Security Layer (TLS) clients that use OpenSSL return a bad dh value error and abort TLS connections to servers that use manually generated parameters. This is because OpenSSL, when configured to work in compliance with FIPS 140-2, works only with D-H parameters compliant to NIST SP 800-56A rev3 Appendix D (groups 14, 15, 16, 17, and 18 defined in RFC 3526 and with groups defined in RFC 7919). Also, servers that use OpenSSL ignore all other parameters and instead select known parameters of similar size. To work around this problem, use only the compliant groups.

Is there any way to specify the cipher groups that pip3 uses?

awestover89
  • 131
  • 1

0 Answers0