search

mvantellingen / python-zeep

A Python SOAP client
http://docs.python-zeep.org
Other
1.88k stars 586 forks source link

ssl.SSLError: [SSL: DH_KEY_TOO_SMALL] dh key too small #1229

Open wenscl opened 3 years ago

wenscl commented 3 years ago

Zeep version: 4.0.0 WSDL: https://wsaahomo.afip.gov.ar/ws/services/LoginCms?wsdl

I'm trying to use the Client and getting the following error:

self.client = Client("https://wsaahomo.afip.gov.ar/ws/services/LoginCms?wsdl")

  File "/home/wendy/GitHub/AgroSoft/venv/lib/python3.8/site-packages/zeep/client.py", line 73, in __init__
    self.wsdl = Document(wsdl, self.transport, settings=self.settings)
  File "/home/wendy/GitHub/AgroSoft/venv/lib/python3.8/site-packages/zeep/wsdl/wsdl.py", line 92, in __init__
    self.load(location)
  File "/home/wendy/GitHub/AgroSoft/venv/lib/python3.8/site-packages/zeep/wsdl/wsdl.py", line 95, in load
    document = self._get_xml_document(location)
  File "/home/wendy/GitHub/AgroSoft/venv/lib/python3.8/site-packages/zeep/wsdl/wsdl.py", line 155, in _get_xml_document
    return load_external(
  File "/home/wendy/GitHub/AgroSoft/venv/lib/python3.8/site-packages/zeep/loader.py", line 79, in load_external
    content = transport.load(url)
  File "/home/wendy/GitHub/AgroSoft/venv/lib/python3.8/site-packages/zeep/transports.py", line 122, in load
    content = self._load_remote_data(url)
  File "/home/wendy/GitHub/AgroSoft/venv/lib/python3.8/site-packages/zeep/transports.py", line 134, in _load_remote_data
    response = self.session.get(url, timeout=self.load_timeout)
  File "/home/wendy/GitHub/AgroSoft/venv/lib/python3.8/site-packages/requests/sessions.py", line 555, in get
    return self.request('GET', url, **kwargs)
  File "/home/wendy/GitHub/AgroSoft/venv/lib/python3.8/site-packages/requests/sessions.py", line 542, in request
    resp = self.send(prep, **send_kwargs)
  File "/home/wendy/GitHub/AgroSoft/venv/lib/python3.8/site-packages/requests/sessions.py", line 655, in send
    r = adapter.send(request, **kwargs)
  File "/home/wendy/GitHub/AgroSoft/venv/lib/python3.8/site-packages/requests/adapters.py", line 514, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='wsaahomo.afip.gov.ar', port=443): Max retries exceeded with url: /ws/services/LoginCms?wsdl (Caused by SSLError(SSLError(1, '[SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:1123)')))
gopackgo90 commented 3 years ago

Seems like you may need to set your own cipher in requests, see https://stackoverflow.com/questions/38015537/python-requests-exceptions-sslerror-dh-key-too-small.

I think this may also depend on the OpenSSL version that your Python is using too. I did not run into this issue on Python 3.9.5 with the latest zeep:

$ python
Python 3.9.5 (default, May  4 2021, 03:36:27) 
[Clang 12.0.0 (clang-1200.0.32.29)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> from zeep import Client
>>> client = Client("https://wsaahomo.afip.gov.ar/ws/services/LoginCms?wsdl")
>>> client.__dict__
{'settings': _local(strict=True, raw_response=False, force_https=True, extra_http_headers=None, xml_huge_tree=False, forbid_dtd=False, forbid_entities=True, forbid_external=True, xsd_ignore_sequence_order=False, _tls=<_thread._local object at 0x109664db0>), 'transport': <zeep.transports.Transport object at 0x10960fcd0>, 'wsdl': <WSDL(location='https://wsaahomo.afip.gov.ar/ws/services/LoginCms?wsdl')>, 'wsse': None, 'plugins': [], '_default_service': None, '_default_service_name': None, '_default_port_name': None, '_default_soapheaders': None}
$ pip freeze
appdirs==1.4.4
attrs==21.2.0
cached-property==1.5.2
certifi==2021.5.30
chardet==4.0.0
defusedxml==0.7.1
idna==2.10
isodate==0.6.0
lxml==4.6.3
pytz==2021.1
requests==2.25.1
requests-file==1.5.1
requests-toolbelt==0.9.1
six==1.16.0
urllib3==1.26.6
zeep==4.0.0

And a recent OpenSSL:

$ python
Python 3.9.5 (default, May  4 2021, 03:36:27) 
[Clang 12.0.0 (clang-1200.0.32.29)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl
>>> ssl.OPENSSL_VERSION
'OpenSSL 1.1.1k  25 Mar 2021'
joachimBurket commented 3 years ago

Also had this error on ldap3 lib, could make it work by forcing TLSv1_1 instead of TLSv1_2. Maybe it could help

sparrowt commented 2 years ago

If you have control over the server (or can contact those who do) then ideally the solution would be to configure the server to be more secure by increasing the number of bits used by the server temp key for DH key exchange (see https://stackoverflow.com/a/64581683/).

If you're using python 3.10 then the reason for "dh key too small" is likely because Python has tightened up the defaults they use for OpenSSL see https://github.com/python/cpython/pull/25778 - you can of course find methods online to force your python client to be less secure again but it is far preferable to update the server as above (or for the client to try and force use of an alternative that is not DH).