gh-136134: Fallback to next auth method when CRAM-MD5 fails due to unsupported hash (e.g. FIPS) #136188
Conversation
…e to unsupported hash (e.g. FIPS)
|
All commit authors signed the Contributor License Agreement. |
|
Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool. If this change has little impact on Python users, wait for a maintainer to apply the |
| @@ -743,6 +743,10 @@ def login(self, user, password, *, initial_response_ok=True): | |||
| return (code, resp) | |||
| except SMTPAuthenticationError as e: | |||
| last_exception = e | |||
| except ValueError as e: | |||
| last_exception = e | |||
| if 'unsupported' in str(e).lower(): | |||
There was a problem hiding this comment.
why do we care about this specific error? shouldn't the next method be tried regardless of the nature of the error?
There was a problem hiding this comment.
In general, it makes sense to fallback regardless of the error. However, in this case, we handle this specific ValueError to deal with environments where FIPS mode is enabled, which disables certain hashing algorithms like MD5.
In FIPS mode, CRAM-MD5 will raise a ValueError from the underlying OpenSSL implementation (e.g. [digital envelope routines] unsupported). Since this isn't a misconfiguration or a generic programming error, but rather an expected, reproducible environment-specific issue, we explicitly catch it and fallback silently to the next available method (e.g. LOGIN).
There was a problem hiding this comment.
I see your point. I had seen the error only on Linux container with a specific version of openssl. My worry is that the fix will be rendered ineffective if openssl changes the error string or returns a different error on a different OS/platform.
There was a problem hiding this comment.
I don't think so, we are saving the error, and try another method, if none of them resolve, we will return the latest error.
However, I also don't like this kind of fix, I didn't found another better way to solve this.
And the error is not only related with that docker image.
This change improves the
smtplib.SMTP.login()method to handle the case where CRAM-MD5 fails due to missing or unsupported MD5 digest (e.g. in FIPS-compliant environments). Instead of crashing with aValueError, the client now skips CRAM-MD5 and tries the next available mechanism.A regression test has been added to verify this fallback behavior.
Closes: gh-136134