Failed to create SSL context when FIPS enabled in python-cryptography

[akash0x53]

Bug report

Bug description:

Strange behviour seen on Windows Python (build from source & linked OpenSSL 3.0.14).

Platform: Windows (amd64)
Python version: 3.9.20
OpenSSL version: 3.0.14
Python cryptography version: 43.0.3

import os
os.environ["CRYPTOGRAPHY_OPENSSL_NO_LEGACY"] = "1"
os.environ["OPENSSL_CONF"] = r"C:\fips\openssl.cnf"
os.environ["OPENSSL_MODULES"] = r"C:\fips"

from cryptography.hazmat.bindings._rust import openssl as _rust_openssl
print("rust openssl=",_rust_openssl.is_fips_enabled())

from cryptography.hazmat.primitives.asymmetric import rsa
rsa.generate_private_key(public_exponent=65537, key_size=2048)

import ssl
ctx = ssl.SSLContext()

----- output ------

rust openssl= True
Traceback (most recent call last):
  File "C:\cygwin64\home\nshende1\flexsnap\ssl_bug.py", line 13, in <module>
    ctx = ssl.SSLContext()
  File "C:\cygwin64\home\nshende1\flexsnap\buildarea\pyenv\lib\ssl.py", line 484, in __new__
    self = _SSLContext.__new__(cls, protocol)
ssl.SSLError: [SSL: LIBRARY_HAS_NO_CIPHERS] library has no ciphers (_ssl.c:3179)

[alex]

The SSL module is part of hte Python standard library, we are not responsible for it.

[akash0x53]

@alex I understand that but if we import ssl first then cryptography fails.

import os

os.environ["CRYPTOGRAPHY_OPENSSL_NO_LEGACY"] = "1"
os.environ["OPENSSL_CONF"] = r"C:\fips\openssl.cnf"
os.environ["OPENSSL_MODULES"] = r"C:\fips"

import ssl

from cryptography.hazmat.bindings._rust import openssl as _rust_openssl
print("rust openssl=",_rust_openssl.is_fips_enabled())

from cryptography.hazmat.primitives.asymmetric import padding, ec, rsa
rsa.generate_private_key(public_exponent=65537, key_size=2048)

rust openssl= True
Traceback (most recent call last):
  File "C:\cygwin64\home\nshende1\flexsnap\crypto_bug.py", line 13, in <module>
    rsa.generate_private_key(public_exponent=65537, key_size=2048)
    ~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\cygwin64\home\nshende1\flexsnap\buildarea\pyenv\Lib\site-packages\cryptography\hazmat\primitives\asymmetric\rsa.py", line 143, in generate_private_key
    return rust_openssl.rsa.generate_private_key(public_exponent, key_size)
           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^
cryptography.exceptions.InternalError: Unknown OpenSSL error. This error is commonly encountered
                        when another library is not cleaning up the OpenSSL error
                        stack. If you are using cryptography with another library
                        that uses OpenSSL try disabling it before reporting a bug.
                        Otherwise please file an issue at
                        https://github.com/pyca/cryptography/issues with
                        information on how to reproduce this. ([<OpenSSLError(code=50856204, lib=6, reason=524556, reason_text=unsupported)>, <OpenSSLError(code=301990032, lib=36, reason=144, reason_text=unable to fetch drbg)>])

[alex]

Can you provide complete instructions for how we can reproduce this (i.e., how you built and linked OpenSSL, Python, and cryptography)?