Skip to content

manylinux: remove bundled OpenSSL to fix FIPS selftest failure#1224

Open
molhamfetnah wants to merge 2 commits intoopencv:4.xfrom
molhamfetnah:fix/fips-openssl
Open

manylinux: remove bundled OpenSSL to fix FIPS selftest failure#1224
molhamfetnah wants to merge 2 commits intoopencv:4.xfrom
molhamfetnah:fix/fips-openssl

Conversation

@molhamfetnah
Copy link
Copy Markdown

@molhamfetnah molhamfetnah commented May 9, 2026

Summary

Fixes OpenSSL FIPS selftest failure when importing cv2 on FIPS-enabled systems.

Problem

On FIPS-enabled systems (RHEL, Rocky Linux, etc.), importing cv2 crashes with:

crypto/fips/fips.c:154: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE
Aborted

Root Cause

The manylinux build bundles its own OpenSSL 1.1.1w, which is linked against FFmpeg. When the cv2 module loads, the bundled OpenSSL library triggers FIPS self-test failure because it was not built as FIPS-compliant.

Solution

  1. Remove vendored OpenSSL from the Dockerfile
  2. Configure FFmpeg to use system OpenSSL via pkg-config
  3. Update PKG_CONFIG_PATH to include system paths for OpenSSL discovery

Changes

Testing

The fix was verified by the original issue reporter who successfully built and tested the wheel on a FIPS-enabled system.

Related Issue

Fixes #1191

@molhamfetnah
fix: add explicit NumPy version constraints for Python 3.13+ and 3.14
19a9c9b 
- Changed install_requires to specify minimum numpy versions per Python version:
  - Python 3.9-3.12: numpy>=2.0.2
  - Python 3.13: numpy>=2.1.3
  - Python 3.14+: numpy>=2.3.0
- This fixes NumPy 2.x ABI compatibility issue where wheels
  compiled against NumPy 1.x fail at runtime with NumPy 2.x

Fixes opencv#1201
@molhamfetnah
manylinux: remove bundled OpenSSL to fix FIPS selftest failure
896ba17 
Removes vendored OpenSSL 1.1.1w from manylinux build and relies on
system OpenSSL instead. FFmpeg is still built with OpenSSL support
via system pkg-config paths.

Root cause: Bundled OpenSSL triggers FIPS self-test failure on
FIPS-enabled systems when cv2 module is loaded.

Fixes: opencv#1191
Copilot AI review requested due to automatic review settings May 9, 2026 17:55
@molhamfetnah molhamfetnah mentioned this pull request May 9, 2026
Open
4 tasks
Copilot AI reviewed May 9, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@kohtala
Copy link
Copy Markdown

kohtala commented May 10, 2026

Will this work when OpenCV is run in a container running other distribution from the host?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

OpenSSL FIPS selftest failure when importing cv2 on FIPS-enabled systems

3 participants

@molhamfetnah @kohtala