2

Attempting to send a SOAP request using suds, I'm using Python 2.7.6.

I'm not very versed with security I am led to believe that either the security - key, on either my machine or the server's machine is too small, I'm not sure how to resolve. Do I generate some new key and create a custom opener ? Any assistance /guidance would be helpful.

Stacktrace:

Traceback (most recent call last):
  File "read_xml.py", line 71, in <module>
    client.service.PO(purchase_orders)
  File "/usr/local/lib/python2.7/dist-packages/suds/client.py", line 542, in __call__
    return client.invoke(args, kwargs)
  File "/usr/local/lib/python2.7/dist-packages/suds/client.py", line 602, in invoke
    result = self.send(soapenv)
  File "/usr/local/lib/python2.7/dist-packages/suds/client.py", line 637, in send
    reply = transport.send(request)
  File "/usr/local/lib/python2.7/dist-packages/suds/transport/https.py", line 64, in send
    return  HttpTransport.send(self, request)
  File "/usr/local/lib/python2.7/dist-packages/suds/transport/http.py", line 77, in send
    fp = self.u2open(u2request)
  File "/usr/local/lib/python2.7/dist-packages/suds/transport/http.py", line 118, in u2open
    return url.open(u2request, timeout=tm)
  File "/usr/lib/python2.7/urllib2.py", line 404, in open
    response = self._open(req, data)
  File "/usr/lib/python2.7/urllib2.py", line 422, in _open
    '_open', req)
  File "/usr/lib/python2.7/urllib2.py", line 382, in _call_chain
    result = func(*args)
  File "/usr/lib/python2.7/urllib2.py", line 1222, in https_open
    return self.do_open(httplib.HTTPSConnection, req)
  File "/usr/lib/python2.7/urllib2.py", line 1184, in do_open
    raise URLError(err)
urllib2.URLError: <urlopen error [Errno 1] _ssl.c:510: error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small>

I was taking a look at the following links

Python - requests.exceptions.SSLError - dh key too small

https://bugs.python.org/issue24985

https://unix.stackexchange.com/questions/333877/how-to-find-which-key-exactly-dh-key-too-small-openssl-error-is-about

Unsure how to implement what they're talking about, thanks again for any help

Community
  • 1
  • 1
steff_bdh
  • 1,108
  • 2
  • 15
  • 32
  • 1
    You must either configure your connection to not use Diffie-Helman (DH) or change things on the server, following instructions at https://weakdh.org/sysadmin.html. If you control the server, it is best to fix its security and hence change its dhparams as explained in previous link. If you do not control the server, you have to use the first option. – Patrick Mevzek Sep 21 '18 at 16:03

2 Answers2

1

I'm using this code fragment in Python 3.7:

import ssl
from urllib.request import HTTPSHandler

from suds.transport.https import HttpAuthenticated


class SSLAuthenticated(HttpAuthenticated):
    """ Enables SSL context for Suds. """

    def __init__(self, ssl_ciphers: str = ssl._DEFAULT_CIPHERS, **kwargs):
        self.ssl_ciphers = ssl_ciphers
        super().__init__(**kwargs)

    def u2handlers(self):
        handlers = super().u2handlers()
        ssl_context = ssl.create_default_context()
        if self.ssl_ciphers is not None:
            ssl_context.set_ciphers(self.ssl_ciphers)
        ssl_context_handler = HTTPSHandler(context=ssl_context)
        handlers = [ssl_context_handler] + handlers
        return handlers

client = suds.Client(transport=SSLAuthenticated(ssl_ciphers='HIGH:!DH'))

To obtain list of available ciphers on a website, run:

nmap --script ssl-enum-ciphers -p 443 affected.website.com

choose one by one from A-grade ciphers and check them like so:

openssl s_client -connect affected.website.com:443 -cipher 'HIGH:!DH' -brief
DisappointedByUnaccountableMod
  • 6,656
  • 4
  • 18
  • 22
frost-nzcr4
  • 1,540
  • 11
  • 16
1

I solved this by changing DEFAULT@SECLEVEL=2 -> DEFAULT@SECLEVEL=1 in /etc/ssl/openssl.cnf

hoju
  • 28,392
  • 37
  • 134
  • 178