urllib2 SSL3_CHECK_CERT_AND_ALGORITHM: dh key too small

Asked 21/9, 2018 at 8:57 Answered 24/6, 2024 at 18:32

Attempting to send a SOAP request using suds, I'm using Python 2.7.6.

I'm not very versed with security I am led to believe that either the security - key, on either my machine or the server's machine is too small, I'm not sure how to resolve. Do I generate some new key and create a custom opener ? Any assistance /guidance would be helpful.

Stacktrace:

Traceback (most recent call last):
  File "read_xml.py", line 71, in <module>
    client.service.PO(purchase_orders)
  File "/usr/local/lib/python2.7/dist-packages/suds/client.py", line 542, in __call__
    return client.invoke(args, kwargs)
  File "/usr/local/lib/python2.7/dist-packages/suds/client.py", line 602, in invoke
    result = self.send(soapenv)
  File "/usr/local/lib/python2.7/dist-packages/suds/client.py", line 637, in send
    reply = transport.send(request)
  File "/usr/local/lib/python2.7/dist-packages/suds/transport/https.py", line 64, in send
    return  HttpTransport.send(self, request)
  File "/usr/local/lib/python2.7/dist-packages/suds/transport/http.py", line 77, in send
    fp = self.u2open(u2request)
  File "/usr/local/lib/python2.7/dist-packages/suds/transport/http.py", line 118, in u2open
    return url.open(u2request, timeout=tm)
  File "/usr/lib/python2.7/urllib2.py", line 404, in open
    response = self._open(req, data)
  File "/usr/lib/python2.7/urllib2.py", line 422, in _open
    '_open', req)
  File "/usr/lib/python2.7/urllib2.py", line 382, in _call_chain
    result = func(*args)
  File "/usr/lib/python2.7/urllib2.py", line 1222, in https_open
    return self.do_open(httplib.HTTPSConnection, req)
  File "/usr/lib/python2.7/urllib2.py", line 1184, in do_open
    raise URLError(err)
urllib2.URLError: <urlopen error [Errno 1] _ssl.c:510: error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small>

I was taking a look at the following links

Python - requests.exceptions.SSLError - dh key too small

https://bugs.python.org/issue24985

https://unix.stackexchange.com/questions/333877/how-to-find-which-key-exactly-dh-key-too-small-openssl-error-is-about

Unsure how to implement what they're talking about, thanks again for any help

Effable answered 21/9, 2018 at 8:57 Comment(1)

You must either configure your connection to not use Diffie-Helman (DH) or change things on the server, following instructions at weakdh.org/sysadmin.html. If you control the server, it is best to fix its security and hence change its dhparams as explained in previous link. If you do not control the server, you have to use the first option. – Erlene 21/9, 2018 at 16:3

I'm using this code fragment in Python 3.7:

import ssl
from urllib.request import HTTPSHandler

from suds.transport.https import HttpAuthenticated


class SSLAuthenticated(HttpAuthenticated):
    """ Enables SSL context for Suds. """

    def __init__(self, ssl_ciphers: str = ssl._DEFAULT_CIPHERS, **kwargs):
        self.ssl_ciphers = ssl_ciphers
        super().__init__(**kwargs)

    def u2handlers(self):
        handlers = super().u2handlers()
        ssl_context = ssl.create_default_context()
        if self.ssl_ciphers is not None:
            ssl_context.set_ciphers(self.ssl_ciphers)
        ssl_context_handler = HTTPSHandler(context=ssl_context)
        handlers = [ssl_context_handler] + handlers
        return handlers

client = suds.Client(transport=SSLAuthenticated(ssl_ciphers='HIGH:!DH'))

To obtain list of available ciphers on a website, run:

nmap --script ssl-enum-ciphers -p 443 affected.website.com

choose one by one from A-grade ciphers and check them like so:

openssl s_client -connect affected.website.com:443 -cipher 'HIGH:!DH' -brief

Distaff answered 29/1, 2020 at 7:56 Comment(0)

I solved this by changing DEFAULT@SECLEVEL=2 -> DEFAULT@SECLEVEL=1 in /etc/ssl/openssl.cnf

Transcontinental answered 19/11, 2020 at 17:18 Comment(0)

works on windows 11 python 3.11

first remove requests from the enviroment:

pip uninstall requests

downgrade rquests to 2.12.0

pip install requests==2.12.0

then modify your code a little bit:

import  requests
from requests.adapters import HTTPAdapter
from requests.packages.urllib3.util.ssl_ import create_urllib3_context
import ssl

class CustomCipherAdapter(HTTPAdapter):
    def init_poolmanager(self, *args, **kwargs):
        context = ssl.create_default_context()
        context.set_ciphers("DEFAULT@SECLEVEL=1")
        kwargs['ssl_context'] = context
        return super(CustomCipherAdapter, self).init_poolmanager(*args,**kwargs)

s = requests.Session()
s.mount("https://", CustomCipherAdapter())

now you can use the session to make all your requests without any problem about dh to small

got part of the code from here Stackoverflow answer but still didnt worked for me as the cipher wasnt listed there so changed using this other code pythonbugs and worked without any incident

Fourchette answered 24/6, 2024 at 18:32 Comment(0)

Recommended topics

Hot tags