Closed joakim-tjernlund closed 3 years ago
Could you provide more context here (like, what command caused this error)?
Did you find this in the log? Looks like this is from an automatic resubmit maybe?
Maybe you could increase the size of the key in the original request (with -g). Does that help? Try 4096 maybe.
It is from a getcert request and I think the key size refers to the cert on the https server ? that Key Size is only 1024
I tried -g4096 but the same error
I have seen in openssl about setting SECLEVEL=1 but I don't know how to do that in cepces
It looks like there are 2 possible solutions, and they are configuration. First, change the default SECLEVEL to 1 for the whole system (this will impact cepces also). See: https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1 The second (and arguably correct) option, is to upgrade the security on your server. We could add some clunky work around in the cepces code, but I don't think that is the right approach.
I have tried setting system SECLEVEL=1 but that did not help. Tried several combos but nothing. There is also an request to update the cert on that sever
Hrm, I would expect that global option to work.
Been traveling for a while ... I think python uses its own default so one may have to force SECLEVEL=1 from cepces itself
in https://github.com/python/cpython/blob/main/Modules/_ssl.c:158 one can see:
#elif PY_SSL_DEFAULT_CIPHERS == 1
/* Python custom selection of sensible cipher suites
* @SECLEVEL=2: security level 2 with 112 bits minimum security (e.g. 2048 bits RSA key)
* ECDH+*: enable ephemeral elliptic curve Diffie-Hellman
* DHE+*: fallback to ephemeral finite field Diffie-Hellman
* encryption order: AES AEAD (GCM), ChaCha AEAD, AES CBC
* !aNULL:!eNULL: really no NULL ciphers
* !aDSS: no authentication with discrete logarithm DSA algorithm
* !SHA1: no weak SHA1 MAC
* !AESCCM: no CCM mode, it's uncommon and slow
*
* Based on Hynek's excellent blog post (update 2021-02-11)
* https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
*/
#define PY_SSL_DEFAULT_CIPHER_STRING "@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM"
#ifndef PY_SSL_MIN_PROTOCOL
#define PY_SSL_MIN_PROTOCOL TLS1_2_VERSION
#endif
So python sets its own defaults. One can change this in the app but I cannot figure out how(do not speak python) Any clues?
Never mind, the CA has gotten a new better cert so no problem anymore for me.
Any way one can configure cepces to override SSLs weak cert handlind: