CA_MD_TOO_WEAK for APNS devices

jazzband / django-push-notifications

Send push notifications to mobile devices through GCM or APNS in Django.

MIT License

2.26k stars 613 forks source link

CA_MD_TOO_WEAK for APNS devices #532

Open mhsiddiqui opened 4 years ago

mhsiddiqui commented 4 years ago

I am getting following error while sending push notification to APNS devices.

[SSL: CA_MD_TOO_WEAK] ca md too weak (_ssl.c:3503)

a2f0 commented 4 years ago

Try editing /etc/ssl/openssl.cnf and setting the following value to 1 (the default is 2 on many newer systems, I believe).

CipherString = DEFAULT@SECLEVEL=1

ekimia commented 4 years ago

@mhsiddiqui did this fix it? Having the same issue here.

mhsiddiqui commented 4 years ago

@ekimia I just found a way to avoid this error. This error was occuring due to latest version of OpenSSL. I was using docker and I had to downgrade OpenSSL version in order to avoid this error. You can use this (http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_1.1.1-1ubuntu2.1~18.04.4_amd64.deb) version as I am using the same.

captain-fox commented 4 years ago

Try editing /etc/ssl/openssl.cnf and setting the following value to 1 (the default is 2 on many newer systems, I believe).

CipherString = DEFAULT@SECLEVEL=1

I think many of us run dev environment on MacOS or in docker so this solution is not universal and does not cover MacOS as there's no such line in openssl.cnf file there. The root of this problem has to be fixed or explained under issue in pyapns2 issue, so I'd suggest we move this thread there, as this issue occures in several other apns-related projects.

aaronn commented 4 years ago

Same issue here. Has anyone fixed this?

dimaqq commented 4 years ago

Psst. no problem on alpine :)

ekimia commented 4 years ago

@aaronn and everyone - use the new token based method which is better anyways (no more cert expiration!) https://developer.apple.com/documentation/usernotifications/setting_up_a_remote_notification_server/establishing_a_token-based_connection_to_apns

dimaqq commented 4 years ago

@aaronn and everyone - use the new token based method which is better anyways (no more cert expiration!) https://developer.apple.com/documentation/usernotifications/setting_up_a_remote_notification_server/establishing_a_token-based_connection_to_apns

Better is subjective: the JWT allows access to all the apps on your account (team), both prod and staging. Client certificates are more granular.

ekimia commented 4 years ago

@dimaqq is right. But at the same time, I doubt apple will go and fix this issue given Apple.

andrewkoltsov commented 3 years ago

I'm using python:3.8-slim-buster docker Image I solved it with

RUN echo "patching open ssl"
RUN cp /etc/ssl/openssl.cnf /app/openssl.cnf
RUN chmod 777 /app/openssl.cnf
RUN sed -i "s/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/g" /app/openssl.cnf
ENV OPENSSL_CONF=/app/openssl.cnf

I hope it will help somebody

gdvalderrama commented 2 years ago

I'm using python:3.8-slim-buster docker Image I solved it with

RUN echo "patching open ssl"
RUN cp /etc/ssl/openssl.cnf /app/openssl.cnf
RUN chmod 777 /app/openssl.cnf
RUN sed -i "s/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/g" /app/openssl.cnf
ENV OPENSSL_CONF=/app/openssl.cnf

I hope it will help somebody

I made it a bit shorter just adding the necessary line, instead of copying the whole config:

RUN echo "CipherString=DEFAULT@SECLEVEL=1" >> /etc/ssl/openssl.cnf

This means the CipherString is changed globally though, so use with care.