1

I have some really old systems that I need to interact with over https. They're so old that when I use any Python on Ubuntu 20.04 to interact with them, their ciphers cause this error:

[SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:727)

Assume the following constraints:

  • I can not upgrade the old systems
  • I must use an Ubuntu 20.04 system to interact with the old systems
  • I can not modify the Python code that makes the https connection to the old systems
  • That said, I can control the Python version and libraries

I have tried the following:

  • Check for supported ciphers - AES128-SHA works
  • Create a virtualenv using virtualenv --copies --python=python2 oldpy - NOTE: retains link to global /usr/lib/python2.7/ssl.py
  • Search for and update CIPHER settings in urllib3 and requests libraries in my virtualenv

This did not work around the error. I eventually got to a working solution by editing the ciphers in the system-wide /usr/lib/python2.7/ssl.py file:

_DEFAULT_CIPHERS = (
    'AES128-SHA'
)

However, this is not ideal, because now I am making a global change to /usr/lib/python2.7/ssl.py. Ideally I'd like to make a local change only, for example in an isolated virtualenv.

What are some other ways I could approach this problem while remaining within the constraints I mentioned above?

EdwardTeach
  • 615
  • 6
  • 18
  • See https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1 for an explanation on your specific error message. One of the way to do it is NOT to force a specific cipher but to you `DEFAULT@SECLEVEL=1` if possible just for the connection, and if not in the "ssl" default configuration file on the system. Of course you need then to be fully aware that you are vulnerable to some security problems. In PyOpenSSL once you have set up your context, you can call `set_cipher_list` on it with that specific value and it will work. – Patrick Mevzek Oct 30 '20 at 03:38
  • For `https`, look in `requests` module documentation about specific "SSL" transport to force the version (and other parameters like ciphers), at https://requests.readthedocs.io/en/latest/user/advanced/#example-specific-ssl-version – Patrick Mevzek Oct 30 '20 at 03:42
  • @PatrickMevzek thanks for info. Per Debian TragingTips page: the Python `ssl.py` appears not to obey the global `openssl.cnf`. For the `requests` module, I'm unfortunately unable to update the code that is running; I know it sounds odd, but I can control the environment, but not the code. – EdwardTeach Nov 02 '20 at 15:38

0 Answers0