How to fix SSL issue SSL_CTX_use_certificate : ca md too weak on Python Zeep

Question

my code was working before until i got this error whenever i make SOAP requests to Frontierlink Web Service.

File "/home/venv/lib/python2.7/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
raise exception_type(errors)

OpenSSL.SSL.Error: [('SSL routines', 'SSL_CTX_use_certificate', 'ca md too weak')]

Do i need to regenerate the pem file that im using to connect or the issue is on the .p12 file that i have used to generate the pem file?

Let me know if you need more info on my issue.

Notes:

OpenSSL Version that im using is : OpenSSL 1.0.2k-fips

Thank you in advance!

Answer 1

Don't do this if you don't understand the consequences.

If you can't regenerate ca-certificates, you can first ask the administrator to change certificates, as the last choice you could change the openssl configuration to decrease the ciphers security level, SECLEVEL=2 (or any number) to SECLEVEL=0, doing this in Debian/Linux:

• Look for openssl conf: openssl version -d. Example: /usr/lib/ssl
• Then sed -i -e 's/SECLEVEL=2/SECLEVEL=0/g' /usr/lib/ssl/openssl.cnf (changing path and number for your results).

Be careful, because in level = 0

Everything is permitted. This retains compatibility with previous versions of OpenSSL.

It seems that some versions have no SECLEVEL, in such a case you could change DOPENSSL_TLS_SECURITY_LEVEL=n to DOPENSSL_TLS_SECURITY_LEVEL=0 or add it if not exist, source.

Answer 2

If you are like me, trying to set up a Flask endpoint server through encrypted HTTPS connections on your Raspberry Pi and encountering the same error as OP, the provided Python libraries (Flask & pyOpenSSL) on the default Raspbian OS is too old.

At the time of writing, I'm using Raspbian 9 (stretch) and Python 3.8, the default library version is Flask==0.12.1, pyOpenSSL==16.2.0.

I fixed the same error I was encountering as OP by installing the latest Flask==1.1.1 and pyOpenSSL==19.1.0.

Answer 3

Regenerate CA file using openssl with stronger hash(such as sha256 ) to sing like this:

    openssl genrsa -out private/cakey.pem  3072
    openssl req -new -sha256 -key private/cakey.pem -out private/ca.csr -subj "/C=CN/ST=envoy-test/L=envoy-test/O=envoy-test/OU=envoy-test/CN=envoy-test"
    openssl x509 -req -days 3650 -sha256 -extensions v3_ca -signkey private/cakey.pem -in private/ca.csr -out certs/ca.cer

Answer 4

The error message you are getting indicates that the certificate you are using is signed with an md5 hash.

OpenSSL 1.1.0 has introduced a new feature called security level.
The default setting of 1 will cause the following (emphasis by me):

The security level corresponds to a minimum of 80 bits of security. Any parameters offering below 80 bits of security are excluded. As a result RSA, DSA and DH keys shorter than 1024 bits and ECC keys shorter than 160 bits are prohibited. All export cipher suites are prohibited since they all offer less than 80 bits of security. SSL version 2 is prohibited. Any cipher suite using MD5 for the MAC is also prohibited.

You may need to regenerate the certificate and use a stronger hash to sign, for example SHA1.

Judging from the forum post at OpenSSL Users this problem may be occurring now because the service you are attempting to connect to has upgraded their version of OpenSSL and it is now rejecting your certificate.