[Bug 2066990] Re: openssl fails with out of memory messages while trying to load the FIPS provider in a non-FIPS container on a FIPS host

Xin 2066990 at bugs.launchpad.net
Thu Feb 19 00:05:46 UTC 2026 

Hi Adrien,

what's the criteria for backporting?

The OPENSSL_FORCE_FIPS_MODE worked well until recently it caused issue to our customers. Pymssql v2.3.12 or newer version seems only check the existence of OPENSSL_FORCE_FIPS_MODE rather than the value (pymssql behaves under FIPS mode when OPENSSL_FORCE_FIPS_MODE is set and regardless of the value).
It appears that OPENSSL_FORCE_FIPS_MODE is not a well-documented environment variable. I’m concerned that different software may interpret or implement it inconsistently, which could lead to increasing compatibility issues over time.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/2066990

Title:
  openssl fails with out of memory messages while trying to load the
  FIPS provider in a non-FIPS container on a FIPS host

Status in ca-certificates package in Ubuntu:
  Invalid
Status in openssl package in Ubuntu:
  Fix Released

Bug description:
  I wanted to try the new Ubuntu 24.04 Noble Numbat based .NET docker
  image and updated the base docker image in our CI pipeline to
  mcr.microsoft.com/dotnet/sdk:8.0-noble. However, it results in an out-
  of-memory exception. Based on my investigation, the exception occurs
  specifically when the update-ca-certificates command is executed. I
  can also repro the issue with ubuntu:noble image which means it's not
  specific to .NET docker images. It works fine with Jammy, by the way.
  The problem likely lies with the Noble base image rather than the .NET
  image. I'm not sure what changes were made between Jammy and Noble,
  but it appears that updating certificates consumes a lot of memory in
  Noble. I adjusted some memory settings in our GitLab runner, but it
  didn't resolve the issue. I attached all Gitlab Runner shell logs for
  .NET 8 Jammy, .NET 8 Noble and Ubuntu Noble images.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/2066990/+subscriptions

More information about the foundations-bugs mailing list