Home > Net >  EE certificate key too weak (_ssl.c:1131)
EE certificate key too weak (_ssl.c:1131)

Time:10-16

I am using the python 3.8 client example on my Modbus application, but I get an error like this:

    self._sock = context.wrap_socket(self._sock, server_hostname=self._host)
  File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: EE certificate key too weak (_ssl.c:1131)

I added the connection codes:

 def _do_open(self):
        """Connect to the Modbus slave"""
        if self._sock:
            self._sock.close()
        self._sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        self.set_timeout(self.get_timeout())
        self._sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
        call_hooks("modbus_tcp.TcpMaster.before_connect", (self, ))
        context = SSLContext(ssl.PROTOCOL_TLS_CLIENT)
        # context.options |= ssl.OP_NO_SSLv3
        context.options |= ssl.OP_NO_TLSv1
        # context.options |= ssl.OP_NO_TLSv1_1

        context.load_verify_locations('cert.pem')
        context.check_hostname = False
        # context.verify_mode = ssl.CERT_NONE
        # with create_connection((self._host, self._port)) as self._sock:
        self._sock.connect((self._host, self._port))
        # time.sleep(4)
        # print("db:1")
        self._sock = context.wrap_socket(self._sock, server_hostname=self._host)
        #         # print("db:2")
        # call_hooks("modbus_tcp.TcpMaster.after_connect", (self, ))

If I added context.verify_mode = ssl.CERT_NONE line for the workaround, it works succefuly but it is not correct way. How Can I solve the problem ?

This is Certificate and Key in Server; (Example key and cert which I found on the github)

const char *privkey = "-----BEGIN PRIVATE KEY-----\n"\
    "MIIBUwIBADANBgkqhkiG9w0BAQEFAASCAT0wggE5AgEAAkEAhD0FKNdH91c8Vis0\n"\
    "T7Pli3Grb BM5xA1V/iNTGer5WSwJlAab6lJ6NNh7R15AXOO7XODOs58ikmEqgWi\n"\
    "wacQfwIDAQABAkAG4KeSirPO/OYB80hKtugC2xwX vn08IZdt2sd5Kxvhzvmp9eM\n"\
    "F4QhlQLHOMrk5LkM7FF0G3FgZHlOAZAVbQTtAiEA6SOLWEpnCCEkkCLMmZTcwzV0\n"\
    "cX9c7ngnOF/xwIn8IT0CIQCRNJVZ3YcJoXFuOCdUid8qOqdatCDkV8TQNxXxPVSc\n"\
    "awIgR1fIMXl7NAKoZK8xeyIRuG7oNj8qWhNMtTSvDyNqk2UCIGgVWi0ldwN3Pviz\n"\
    "tbWKcnYxvv5sedtT8pcRtV/MB5drAiBZSqkW9Ha37EObdrctWBvBvHtUp8k9XOy6\n"\
    "1X0wxUy5BQ==\n"\
    "-----END PRIVATE KEY-----\n";

const char *cert = "-----BEGIN CERTIFICATE-----\n"\
    "MIIB2jCCAYSgAwIBAgIIU3U2E0/GMUowDQYJKoZIhvcNAQELBQAwGjEYMBYGA1UE\n"\
    "AwwPU3RyYWlnaHQgUm9vdENBMB4XDTIwMTExNTAwMDAwMFoXDTQwMTExNTAwMDAw\n"\
    "MFowGjEYMBYGA1UEAwwPU3RyYWlnaHQgU2VydmVyMFwwDQYJKoZIhvcNAQEBBQAD\n"\
    "SwAwSAJBAIQ9BSjXR/dXPFYrNE z5Ytxq2/gTOcQNVf4jUxnq VksCZQGm pSejT\n"\
    "Ye0deQFzju1zgzrOfIpJhKoFosGnEH8CAwEAAaOBrTCBqjBJBgNVHSMEQjBAgBSD\n"\
    "hOKzs 3Mo56OeliOMM0gQZgafKEepBwwGjEYMBYGA1UEAwwPU3RyYWlnaHQgUm9v\n"\
    "dENBgghnEtSASbZ0HDAdBgNVHQ4EFgQUGroKNtRTXQ7nxeYSQlZq35oVQDQwDAYD\n"\
    "VR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNVHREEFDASggZzZXJ2\n"\
    "ZXKCCHN0cmFpZ2h0MA0GCSqGSIb3DQEBCwUAA0EAO02jJwxokR4CeA8DDJqp/9Qk\n"\
    "0dim// cjVTjxqIgUS5ykNW2CAIRuP5rVyzNv6U02F0q92Vs/754/ep TyT70w==\n"\
    "-----END CERTIFICATE-----\n";

CodePudding user response:

The output from openssl x509 -text -in cert.pem on your certificate shows:

    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            RSA Public-Key: (512 bit)
            Modulus:
                00:84:3d:05:28:d7:47:f7:57:3c:56:2b:34:4f:b3:

512 bit RSA is terrible weak since years. That's what the program is complaining about. You need to create the certificate with a stronger key, like at least 2048 bit RSA.

  • Related