search

ufven / cepces

cepces is an application for enrolling certificates through CEP and CES.
GNU General Public License v3.0
10 stars 0 forks source link

EE certificate key too weak #17

Closed joakim-tjernlund closed 3 years ago

joakim-tjernlund commented 3 years ago

Any way one can configure cepces to override SSLs weak cert handlind:

Traceback (most recent call last):
  File "/usr/libexec/certmonger/cepces-submit", line 66, in main
    result = operation()
  File "/usr/lib/python3.8/site-packages/cepces/certmonger/operation.py", line 112, in __call__
    result = service.request(
  File "/usr/lib/python3.8/site-packages/cepces/core.py", line 212, in request
    return self._request_ces(csr)
  File "/usr/lib/python3.8/site-packages/cepces/core.py", line 167, in _request_ces
    response = self._ces.request(csr_raw)
  File "/usr/lib/python3.8/site-packages/cepces/wstep/service.py", line 96, in request
    response = self.send(envelope)
  File "/usr/lib/python3.8/site-packages/cepces/soap/service.py", line 80, in send
    req = requests.post(url=self._endpoint,
  File "/usr/lib/python3.8/site-packages/requests/api.py", line 119, in post
    return request('post', url, data=data, json=json, **kwargs)
  File "/usr/lib/python3.8/site-packages/requests/api.py", line 61, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python3.8/site-packages/requests/sessions.py", line 542, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3.8/site-packages/requests/sessions.py", line 655, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3.8/site-packages/requests/adapters.py", line 514, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='x.y.z', port=443): Max retries exceeded with url: /x-y-z_CES_Kerberos/service.svc/CES (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: EE certificate key too weak (_ssl.c:1147)')))
dmulder commented 3 years ago

Could you provide more context here (like, what command caused this error)?

dmulder commented 3 years ago

Did you find this in the log? Looks like this is from an automatic resubmit maybe?

dmulder commented 3 years ago

Maybe you could increase the size of the key in the original request (with -g). Does that help? Try 4096 maybe.

joakim-tjernlund commented 3 years ago

It is from a getcert request and I think the key size refers to the cert on the https server ? that Key Size is only 1024

joakim-tjernlund commented 3 years ago

I tried -g4096 but the same error

joakim-tjernlund commented 3 years ago

I have seen in openssl about setting SECLEVEL=1 but I don't know how to do that in cepces

dmulder commented 3 years ago

It looks like there are 2 possible solutions, and they are configuration. First, change the default SECLEVEL to 1 for the whole system (this will impact cepces also). See: https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1 The second (and arguably correct) option, is to upgrade the security on your server. We could add some clunky work around in the cepces code, but I don't think that is the right approach.

joakim-tjernlund commented 3 years ago

I have tried setting system SECLEVEL=1 but that did not help. Tried several combos but nothing. There is also an request to update the cert on that sever

dmulder commented 3 years ago

Hrm, I would expect that global option to work.

joakim-tjernlund commented 3 years ago

Been traveling for a while ... I think python uses its own default so one may have to force SECLEVEL=1 from cepces itself

joakim-tjernlund commented 3 years ago

in https://github.com/python/cpython/blob/main/Modules/_ssl.c:158 one can see:

#elif PY_SSL_DEFAULT_CIPHERS == 1
/* Python custom selection of sensible cipher suites
 * @SECLEVEL=2: security level 2 with 112 bits minimum security (e.g. 2048 bits RSA key)
 * ECDH+*: enable ephemeral elliptic curve Diffie-Hellman
 * DHE+*: fallback to ephemeral finite field Diffie-Hellman
 * encryption order: AES AEAD (GCM), ChaCha AEAD, AES CBC
 * !aNULL:!eNULL: really no NULL ciphers
 * !aDSS: no authentication with discrete logarithm DSA algorithm
 * !SHA1: no weak SHA1 MAC
 * !AESCCM: no CCM mode, it's uncommon and slow
 *
 * Based on Hynek's excellent blog post (update 2021-02-11)
 * https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
 */
  #define PY_SSL_DEFAULT_CIPHER_STRING "@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM"
  #ifndef PY_SSL_MIN_PROTOCOL
    #define PY_SSL_MIN_PROTOCOL TLS1_2_VERSION
  #endif

So python sets its own defaults. One can change this in the app but I cannot figure out how(do not speak python) Any clues?

joakim-tjernlund commented 3 years ago

Never mind, the CA has gotten a new better cert so no problem anymore for me.