Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenSSL v3 cert signature digest algorithm too weak #52

Open
metaist opened this issue Sep 10, 2024 · 3 comments
Open

OpenSSL v3 cert signature digest algorithm too weak #52

metaist opened this issue Sep 10, 2024 · 3 comments

Comments

@metaist
Copy link

metaist commented Sep 10, 2024

$ wget https://cosmo.zip/pub/cosmos/bin/python
$ chmod +x python
$ ./python -V
Python 3.12.3

$ ./python -c 'import ssl; print(ssl.OPENSSL_VERSION)'
OpenSSL 3.3.1 4 Jun 2024

$ ./python -c 'import urllib.request; print(urllib.request.urlopen("https://github.com/").read().decode())'
Traceback (most recent call last):
  File "./Lib/urllib/request.py", line 1344, in do_open
  File "./Lib/http/client.py", line 1336, in request
  File "./Lib/http/client.py", line 1382, in _send_request
  File "./Lib/http/client.py", line 1331, in endheaders
  File "./Lib/http/client.py", line 1091, in _send_output
  File "./Lib/http/client.py", line 1035, in send
  File "./Lib/http/client.py", line 1477, in connect
  File "./Lib/ssl.py", line 455, in wrap_socket
  File "./Lib/ssl.py", line 1042, in _create
  File "./Lib/ssl.py", line 1320, in do_handshake
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] unknown error: CA signature digest algorithm too weak (_ssl.c:1000)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "./Lib/urllib/request.py", line 215, in urlopen
  File "./Lib/urllib/request.py", line 515, in open
  File "./Lib/urllib/request.py", line 532, in _open
  File "./Lib/urllib/request.py", line 492, in _call_chain
  File "./Lib/urllib/request.py", line 1392, in https_open
  File "./Lib/urllib/request.py", line 1347, in do_open
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] unknown error: CA signature digest algorithm too weak (_ssl.c:1000)>

However, in a fresh uv venv, everything works (although note the newer python and older OpenSSL versions):

$ uv venv
Using Python 3.12.5
Creating virtualenv at: .venv
Activate with: source .venv/bin/activate

$ . .venv/bin/activate
$ python -V
Python 3.12.5

$ python -c 'import ssl; print(ssl.OPENSSL_VERSION)'
OpenSSL 3.0.14 4 Jun 2024

$ python -c 'import urllib.request; print(urllib.request.urlopen("https://github.com/").read().decode())'
# <... snip ...>
<!DOCTYPE html>
<html
  lang="en"
  
  data-color-mode="light" data-light-theme="light" data-dark-theme="dark"
  data-a11y-animated-images="system" data-a11y-link-underlines="true"
  >
# <... snip ...>

I checked all the certs that GitHub produces and they all seem fine even with the stricter requirements. If I disable checking certs, everything works, but that seems like a bad idea.

I also tried replacing all the certs in the cosmo python with the ones on my machine, but nothing helped.

@ahgamut
Copy link
Owner

ahgamut commented Sep 10, 2024

Does it work if you use a Python executable from this release? https://github.com/ahgamut/superconfigure/releases/tag/z0.0.47

If so, it's likely related to some API difference between OpenSSL 1.1.1 and OpenSSL 3 -- we're trying to patch this. Perhaps you can help us?

@metaist
Copy link
Author

metaist commented Sep 10, 2024

Yes, it does work.

Terminal Output
$ wget https://github.com/ahgamut/superconfigure/releases/download/z0.0.47/lang.zip
# <snip>

$ unzip lang.zip 
Archive:  lang.zip
   creating: libexec/
   creating: bin/
  inflating: bin/python              
  inflating: bin/janet               
  inflating: bin/tclsh8.6            
  inflating: bin/php                 
  inflating: bin/berry               
  inflating: bin/lua   

$ ./bin/python -V
Python 3.12.3

$ ./bin/python -c 'import ssl; print(ssl.OPENSSL_VERSION)'
OpenSSL 1.1.1u  30 May 2023

$ ./bin/python -c 'import urllib.request; print(urllib.request.urlopen("https://github.com/").read().decode())'
# <snip>
<!DOCTYPE html>
<html
  lang="en"
  
  data-color-mode="light" data-light-theme="light" data-dark-theme="dark"
  data-a11y-animated-images="system" data-a11y-link-underlines="true"
  >
# <snip>

From what I've read, OpenSSL 3 increased the security level and started rejecting weaker digest algorithms. However, the static build of python that uv is using has a version of OpenSSL 3 that works just fine, so it should be possible. Plus, I confirmed that the security levels were the same between the the uv version and cosmo build.

I'd love to try to help, but don't even know where to start looking. Any pointers on where to start?

@ahgamut
Copy link
Owner

ahgamut commented Sep 11, 2024

I've reset to OpenSSL v1.1.1 for now, so I expect the next release to work.

I'd love to try to help, but don't even know where to start looking. Any pointers on where to start?

You'd need to test the python ELF executables in lang-dbg.zip (with --ftrace or --strace). The big thing would be more details on how the OpenSSL API has changed -- my guess is that some digest API that was the default on OpenSSL v1 is now invalid in v3, but I'm not sure where to check that.

@ahgamut ahgamut changed the title python ssl can't verify certs OpenSSL v3 cert signature digest algorithm too weak Sep 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants