OpenSSL::SSL::SSLError: SSL_CTX_use_certificate: ca md too weak

[tobsch]

we are getting this error in connection to Apnotic notifictions we try to trigger. From my perspective, this error means that apple denies our connection requests because of a wrong ca. Is this correct? Is there any advice you could give us here?

[mcclymont]

This appears to be a consequence of the Security Level setting in OpenSSL. The error is coming from the client-side, not from the Apple servers.

From my investigation, it seems that when Apple generates push certificates, it signs them with SHA1 for Sandbox and with SHA256 for Production. We don't have any control over this. If the OpenSSL Security Level is set to >= 2, then the openssl client will reject the connection before it is even fully attempted on the network.

This may manifest differently based on your operating system's default OpenSSL settings. See this page from Debian: https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1#:~:text=This%20is%20caused%20by%20the,at%20least%202048%20bit%20long.&text=SECLEVEL%201%20was%20the%20default,a%201024%20bit%20RSA%20key.

SECLEVEL can be changed at the operating level default in the openssl.cnf file, or overridden per process (pointing to a custom openssl.cnf), or overridden per connection in application code.

This monkey patch for apnotic solves the issue for me:

module Apnotic
  class Connection
    private

    alias build_ssl_context_original build_ssl_context

    def build_ssl_context
      build_ssl_context_original.tap do |context|
        # Apple generates a certificate for us that has a SHA1 hash for sandbox
        # which is not tolerated by openssl when security_level is >= 2
        context.security_level = 1 if url == APPLE_DEVELOPMENT_SERVER_URL
      end
    end
  end
end

[benubois]

It's unclear where this issue is coming from. Please re-open and include a backtrace if you're still seeing this.

[dfabreguette]

Hi, I had seme issue - only error was "SSL: CA_MD_TOO_WEAK". This monkey patch solved my problem. What info do you need to investigate ?

[soffes]

I'm seeing this as well.

@benubois here's the stack:

OpenSSL::SSL::SSLError: SSL_CTX_use_certificate: ca md too weak
  from net-http2 (0.18.4) lib/net-http2/socket.rb:19:in `initialize'
  from net-http2 (0.18.4) lib/net-http2/socket.rb:19:in `new'
  from net-http2 (0.18.4) lib/net-http2/socket.rb:19:in `ssl_socket'
  from net-http2 (0.18.4) lib/net-http2/socket.rb:6:in `create'
  from net-http2 (0.18.4) lib/net-http2/client.rb:162:in `new_socket'
  from net-http2 (0.18.4) lib/net-http2/client.rb:110:in `block in ensure_open'
  from net-http2 (0.18.4) lib/net-http2/client.rb:106:in `synchronize'
  from net-http2 (0.18.4) lib/net-http2/client.rb:106:in `ensure_open'
  from net-http2 (0.18.4) lib/net-http2/client.rb:36:in `call'
  from apnotic (1.7.0) lib/apnotic/connection.rb:45:in `push'
  from app/jobs/send_notification_job.rb:59:in `block in send_push'
  from connection_pool (2.2.5) lib/connection_pool.rb:63:in `block (2 levels) in with'
  from connection_pool (2.2.5) lib/connection_pool.rb:62:in `handle_interrupt'
  from connection_pool (2.2.5) lib/connection_pool.rb:62:in `block in with'
  from connection_pool (2.2.5) lib/connection_pool.rb:59:in `handle_interrupt'
  from connection_pool (2.2.5) lib/connection_pool.rb:59:in `with'
  from app/jobs/send_notification_job.rb:48:in `send_push'

Here are the versions I'm using:

apnotic (1.7.0)
connection_pool (2.2.5)
net-http2 (0.18.4)
http-2 (0.11.0)

Let me know if any other information would be helpful!

[benubois]

Thanks @soffes!

Can you let me know if the security_level branch resolves the issue?

[soffes]

@benubois I tried the snippet earlier in the thread and was still seeing this issue. I'll try that branch today!

[soffes]

So that branch didn't change anything. ~I figured it out though! Before, I was only using the production connection by mistake. Changed to use development if needed and the error went away.~ This wasn't it.

Would be great if there was a more clear error for using development certs with the production server (if you could detect this somehow). I think that is this issue, but not 100% sure.

Hope this helps!

[benubois]

Great!

No idea if that’s detectable.

I’d recommend the token auth option over certificate auth. No need for separate certs or renewing them every year.

[soffes]

Ugh this wasn't it. Still seeing the issue for a small number of devices :(

It's only from a user that had previously used development builds. Could be still using the wrong environment for a device token. Will report back if I figure anything else out.

Sure would be cool if Apple gave us a better error 😅