1

I have seen a few links for this issue and most people want the server to be updated for security reasons. I am looking to make an internal only tool and connect to a server that is not able to be modified. My code is below and I am hopeful I can get clarity on how I can accept the small key and process the request.

Thank you all in advance

import requests
from requests.auth import HTTPBasicAuth
import warnings
import urllib3

warnings.filterwarnings("ignore")
requests.packages.urllib3.disable_warnings()
requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS += 'HIGH:!DH:!aNULL'
#requests.packages.urllib3.contrib.pyopenssl.DEFAULT_SSL_CIPHER_LIST += 'HIGH:!DH:!aNULL'

url = "https://x.x.x.x/place/stuff"
userName = 'stuff'
passW = 'otherstuff'


dataR = requests.get(url,auth=HTTPBasicAuth(userName, passW),verify=False)
print(dataR.text)
Nathan G.
  • 11
  • 1
  • 3
  • You need to specify which Python version and how it is installed to know the underlying OpenSSL version used. – Patrick Mevzek Dec 14 '18 at 22:47
  • Hi Patrick I'm having similar issue on `Python@3.7` and `OpenSSL@1.1.1a` when I try to connect to an API, SSL error: – rekans Dec 30 '18 at 23:38
  • Also: 1) you shouldn't remove warnings, and 2) more related to your problem, try to force connecting over TLS 1.2; I have just witnessed such a case where a connection had the failure you mention because the connection is using SSLv23 method by method which should be the most compatible one, except when it isn't; by forcing TLS1_2_METHOD the handshake succeeded without problems – Patrick Mevzek Feb 06 '20 at 22:36

1 Answers1

1

The problem with too small DH keys is discussed in length at https://weakdh.org` with various remediations.

Now in your case it depends on OpenSSL which Python uses under the hood. It hardcodes thing to reject too small values.

Have a look at: How to reject weak DH parameters in an OpenSSL client?

Currently OpenSSL in client mode stops handshake only if the keylength of server selected DH parameters is less than 768 bit (hardcoded in source).

Based on the answer there, you could use SSL_CTX_set_tmp_dh_callback and SSL_set_tmp_dh_callback to control things more to your liking... except that at that time it did not seem to work at the client side only the server side.

Based on http://openssl.6102.n7.nabble.com/How-to-enforce-DH-field-size-in-the-client-td60442.html it seems that some work was added in the 1.1.0 branch for that problem. It seems to hint at a commit 2001129f096d10bbd815936d23af3e97daf7882d in 1.0.2 so first maybe try a newer version of OpenSSL (you did not specify which versions you are using).

However even if you manage to have everything working with OpenSSL you still need your Python to use it (so probably to compile python yourself) and then have the specific API inside Python to work on that... to be honest I think you will loose far less time fixing the service (even if you say you can not modify it) instead of trying to basically cripple the client, as rejecting small keys is a good thing (for reasons explained in the first link).

Patrick Mevzek
  • 10,995
  • 16
  • 38
  • 54
  • Basically setting `sslcipher` option in ruby to `AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA` did the trick. Thanks for the pointer! – akostadinov Aug 24 '22 at 23:51
  • It is better to use `@SECLEVEL` in general instead of listing ciphers. Even better of course if fixing the remote end to be more modern, which will make the error message disappear. – Patrick Mevzek Aug 25 '22 at 00:10
  • yes, actually that list above makes no sense. The first one which is rather weak is used. – akostadinov Aug 25 '22 at 00:27