OpenSSL FIPS selftest failure when importing cv2 on FIPS-enabled systems

[vmiller987]

System Information

• OS: RHEL 9.7 with FIPS enabled
• Python 3.13.7
• opencv-python==4.13.0.90

Detailed description

Importing cv2 crashes with FATAL FIPS SELFTEST FAILURE on systems with FIPS mode enabled.

The crash occurs when loading the native cv2 binary extension in cv2/__init__.py:

py_module = sys.modules.pop("cv2")
native_module = importlib.import_module("cv2")  # <-- crashes here

The cv2 binary appears to be linked against the OpenSSL in a way that fails FIPS validation on FIPS-enabled systems.

Reverting to the previous release currently provides a workaround.

[vmiller@gluskap tmp]$ uv venv
Using CPython 3.13.7
Creating virtual environment at: .venv
Activate with: source .venv/bin/activate
[vmiller@gluskap tmp]$ venv
(tmp) [vmiller@gluskap tmp]$ uv pip install "opencv-python<4.13.0.90"
Resolved 2 packages in 135ms
Prepared 2 packages in 10.33s
Installed 2 packages in 20ms
 + numpy==2.2.6
 + opencv-python==4.12.0.88
(tmp) [vmiller@gluskap tmp]$ python -c "import cv2; print('success');"
success

Steps to reproduce

On a machine installed with fips=1:

[vmiller@gluskap tmp]$ uv venv
Using CPython 3.13.7
Creating virtual environment at: .venv
Activate with: source .venv/bin/activate
[vmiller@gluskap tmp]$  venv
(tmp) [vmiller@gluskap tmp]$ uv pip install opencv-python
Resolved 2 packages in 402ms
Prepared 2 packages in 1.83s
Installed 2 packages in 19ms
 + numpy==2.4.1
 + opencv-python==4.13.0.90
(tmp) [vmiller@gluskap tmp]$ python -c "import cv2"
crypto/fips/fips.c:154: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE
Aborted

Issue submission checklist

• I report the issue, it's not a question
• I checked the problem with documentation, FAQ, open issues, forum.opencv.org, Stack Overflow, etc and have not found any solution
• I updated to the latest OpenCV version and the issue is still there
• There is reproducer code and related data files (videos, images, onnx, etc)

[aviralgarg05]

I would like to solve the issue, please assign me

[AdityaMishra3000]

I opened a PR that addresses this issue by removing bundled OpenSSL from the
manylinux build and relying on system OpenSSL instead.
PR:#1190
@vmiller987 Let me know if this is satisfactory

[asmorkalov]

OpenCV does not use OpenSSL and does not contain any crypto related code. The SSL is 3rdparty dependency for one or several OpenCV 3rdparty dependencies, e.g. FFmpeg, QT, image IO libraries.

[asmorkalov]

Mowing the issue to opencv-python repo as it's related to packages build, but not OpenCV itself.

[vmiller987]

I opened a PR that addresses this issue by removing bundled OpenSSL from the manylinux build and relying on system OpenSSL instead. PR:#1190 @vmiller987 Let me know if this is satisfactory

@AdityaMishra3000 , @asmorkalov , thank you for the fast responses. I am not used to this.
The #1190 PR would appear to resolve my issue.

I pulled your branch, built the wheel, and installed it.

[vmiller@gluskap tmp]$ git clone https://github.com/opencv/opencv-python.git
[vmiller@gluskap tmp]$ cd opencv-python
[vmiller@gluskap tmp]$ git fetch origin pull/1190/head:pr-1190
[vmiller@gluskap tmp]$ git checkout pr-1190
[vmiller@gluskap tmp]$ cd ~/opencv-python

[vmiller@gluskap opencv-python]$ uv venv
Using CPython 3.13.7
Creating virtual environment at: .venv
Activate with: source .venv/bin/activate
[vmiller@gluskap opencv-python]$ venv
(opencv-python) [vmiller@gluskap opencv-python]$ uv pip install scikit-build
-core numpy setuptools wheel cmake
Resolved 7 packages in 272ms
Prepared 5 packages in 897ms
Installed 7 packages in 49ms
 + cmake==4.2.1
 + numpy==2.4.1
 + packaging==26.0
 + pathspec==1.0.3
 + scikit-build-core==0.11.6
 + setuptools==80.10.2
 + wheel==0.46.3
(opencv-python) [vmiller@gluskap opencv-python]$ uv pip install scikit-build 
pip wheel . --no-build-isolation
Resolved 5 packages in 278ms
Prepared 2 packages in 67ms
Installed 2 packages in 13ms
 + distro==1.9.0
 + scikit-build==0.18.1
Processing /home/vmiller/Work/tmp/opencv-python
  Preparing metadata (pyproject.toml) ... done
Collecting numpy>=2 (from opencv-python==4.13.0+dc2e895)
  Using cached numpy-2.4.1-cp313-cp313-manylinux_2_27_x86_64.manylinux_2_28_x86_64.whl.metadata (6.6 kB)
Downloading numpy-2.4.1-cp313-cp313-manylinux_2_27_x86_64.manylinux_2_28_x86_64.whl (16.4 MB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 16.4/16.4 MB 52.7 MB/s  0:00:00
Saved ./numpy-2.4.1-cp313-cp313-manylinux_2_27_x86_64.manylinux_2_28_x86_64.whl
Building wheels for collected packages: opencv-python
  Building wheel for opencv-python (pyproject.toml) ... done
  Created wheel for opencv-python: filename=opencv_python-4.13.0+dc2e895-cp313-cp313-linux_x86_64.whl size=32287285 sha256=1dca8d48ad9dfcd1886f553468f7446af1971fa427a37656006c2a36eb88e42f
  Stored in directory: /home/vmiller/.cache/pip/wheels/b0/ab/eb/b0d579fc4ff1cefcdef823871b057fac80ff9d14819a19707d
Successfully built opencv-python
(opencv-python) [vmiller@gluskap opencv-python]$ cd ~

(opencv-python) [vmiller@gluskap opencv-python]$ uv pip install ./opencv_python*.whl
Resolved 2 packages in 116ms
Prepared 1 package in 165ms
Installed 1 package in 4ms
 + opencv-python==4.13.0+dc2e895 (from file:///home/vmiller/Work/tmp/opencv-python/opencv_python-4.13.0+dc2e895-cp313-cp313-linux_x86_64.whl)

(opencv-python) [vmiller@gluskap opencv-python]$ cd ~
(opencv-python) [vmiller@gluskap ~]$ python -c "import cv2; print(cv2.__version__)"
4.13.0
(opencv-python) [vmiller@gluskap ~]$ 

[AdityaMishra3000]

Hello @asmorkalov , I am new to these procedures. Thanks for the clarification.

I agree this is not OpenCV core but a 3rdparty issue. Let me know if you’d like me to adjust anything
in the PR or if there’s a preferred direction for handling this.

[jayteaftw]

+1 Anything we can do to get #1190 pushed? FIPS Compliant machine are currently running with a critical vulnerability until this is addressed: GHSA-4r2x-xpjr-7cvv