How to fix SSL issue SSL_CTX_use_certificate : ca md too weak on Python Zeep
Regenerate CA file using openssl with stronger hash(such as sha256 ) to sing like this:
openssl genrsa -out private/cakey.pem 3072
openssl req -new -sha256 -key private/cakey.pem -out private/ca.csr -subj "/C=CN/ST=envoy-test/L=envoy-test/O=envoy-test/OU=envoy-test/CN=envoy-test"
openssl x509 -req -days 3650 -sha256 -extensions v3_ca -signkey private/cakey.pem -in private/ca.csr -out certs/ca.cer
If you are like me, trying to set up a Flask endpoint server through encrypted HTTPS connections on your raspberrypi and encountering the same error as OP, the provided python libraries (Flask & pyOpenSSL) on the default raspbian OS is too old
At the time of writing, I'm using Raspbian 9 (stretch), python 3.8, the default library version is Flask==0.12.1, pyOpenSSL==16.2.0
I fixed the same error I was encountering as OP by installing the latest Flask==1.1.1 and pyOpenSSL==19.1.0
Not sure if my answer will help, but just throwing it out there..
The error message you are getting indicates that the certificate you are using is signed with an md5
hash.
OpenSSL 1.1.0 has introduced a new feature called security level.
The default setting of 1
will cause the following (emphasis by me):
The security level corresponds to a minimum of 80 bits of security. Any parameters offering below 80 bits of security are excluded. As a result RSA, DSA and DH keys shorter than 1024 bits and ECC keys shorter than 160 bits are prohibited. All export cipher suites are prohibited since they all offer less than 80 bits of security. SSL version 2 is prohibited. Any cipher suite using MD5 for the MAC is also prohibited.
You may need to regenerate the certificate and use a stronger hash to sign, for example SHA1
.
Judging from the forum post at OpenSSL Users this problem may be occurring now because the service you are attempting to connect to has upgraded their version of OpenSSL and it is now rejecting your certificate.
Don't do this if you don't understand the consecuences.
If you can't regenerate ca certificates, you can first ask the administrador to change certificates, as last choice you could change the openssl
configuration in order to decrease the ciphers security level, SECLEVEL=2
(or any number) to SECLEVEL=0
, doing this in debian/linux:
- Look for openssl conf:
openssl version -d
. Example:/usr/lib/ssl
- Then
sed -i -e 's/SECLEVEL=2/SECLEVEL=0/g' /usr/lib/ssl/openssl.cnf
(changing path and number for your results).
Be carefully, because in level = 0
Everything is permitted. This retains compatibility with previous versions of OpenSSL.
It seems that some versions has no SECLEVEL
, in such a case you could change DOPENSSL_TLS_SECURITY_LEVEL=n
to DOPENSSL_TLS_SECURITY_LEVEL=0
or add it if not exist, source.