-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSSL v3 cert signature digest algorithm too weak #52
Comments
Does it work if you use a Python executable from this release? https://github.com/ahgamut/superconfigure/releases/tag/z0.0.47 If so, it's likely related to some API difference between OpenSSL 1.1.1 and OpenSSL 3 -- we're trying to patch this. Perhaps you can help us? |
Yes, it does work. Terminal Output$ wget https://github.com/ahgamut/superconfigure/releases/download/z0.0.47/lang.zip
# <snip>
$ unzip lang.zip
Archive: lang.zip
creating: libexec/
creating: bin/
inflating: bin/python
inflating: bin/janet
inflating: bin/tclsh8.6
inflating: bin/php
inflating: bin/berry
inflating: bin/lua
$ ./bin/python -V
Python 3.12.3
$ ./bin/python -c 'import ssl; print(ssl.OPENSSL_VERSION)'
OpenSSL 1.1.1u 30 May 2023
$ ./bin/python -c 'import urllib.request; print(urllib.request.urlopen("https://github.com/").read().decode())'
# <snip>
<!DOCTYPE html>
<html
lang="en"
data-color-mode="light" data-light-theme="light" data-dark-theme="dark"
data-a11y-animated-images="system" data-a11y-link-underlines="true"
>
# <snip> From what I've read, OpenSSL 3 increased the security level and started rejecting weaker digest algorithms. However, the static build of python that I'd love to try to help, but don't even know where to start looking. Any pointers on where to start? |
I've reset to OpenSSL v1.1.1 for now, so I expect the next release to work.
You'd need to test the python ELF executables in |
ssl
can't verify certs
However, in a fresh
uv venv
, everything works (although note the newer python and older OpenSSL versions):I checked all the certs that GitHub produces and they all seem fine even with the stricter requirements. If I disable checking certs, everything works, but that seems like a bad idea.
I also tried replacing all the certs in the cosmo python with the ones on my machine, but nothing helped.
The text was updated successfully, but these errors were encountered: