I am using the python 3.8 client example on my Modbus application, but I get an error like this:
self._sock = context.wrap_socket(self._sock, server_hostname=self._host)
File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
return self.sslsocket_class._create(
File "/usr/lib/python3.8/ssl.py", line 1040, in _create
self.do_handshake()
File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: EE certificate key too weak (_ssl.c:1131)
I added the connection codes:
def _do_open(self):
"""Connect to the Modbus slave"""
if self._sock:
self._sock.close()
self._sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.set_timeout(self.get_timeout())
self._sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
call_hooks("modbus_tcp.TcpMaster.before_connect", (self, ))
context = SSLContext(ssl.PROTOCOL_TLS_CLIENT)
# context.options |= ssl.OP_NO_SSLv3
context.options |= ssl.OP_NO_TLSv1
# context.options |= ssl.OP_NO_TLSv1_1
context.load_verify_locations('cert.pem')
context.check_hostname = False
# context.verify_mode = ssl.CERT_NONE
# with create_connection((self._host, self._port)) as self._sock:
self._sock.connect((self._host, self._port))
# time.sleep(4)
# print("db:1")
self._sock = context.wrap_socket(self._sock, server_hostname=self._host)
# # print("db:2")
# call_hooks("modbus_tcp.TcpMaster.after_connect", (self, ))
If I added context.verify_mode = ssl.CERT_NONE
line for the workaround, it works succefuly but it is not correct way. How Can I solve the problem ?
This is Certificate and Key in Server; (Example key and cert which I found on the github)
const char *privkey = "-----BEGIN PRIVATE KEY-----\n"\
"MIIBUwIBADANBgkqhkiG9w0BAQEFAASCAT0wggE5AgEAAkEAhD0FKNdH91c8Vis0\n"\
"T7Pli3Grb BM5xA1V/iNTGer5WSwJlAab6lJ6NNh7R15AXOO7XODOs58ikmEqgWi\n"\
"wacQfwIDAQABAkAG4KeSirPO/OYB80hKtugC2xwX vn08IZdt2sd5Kxvhzvmp9eM\n"\
"F4QhlQLHOMrk5LkM7FF0G3FgZHlOAZAVbQTtAiEA6SOLWEpnCCEkkCLMmZTcwzV0\n"\
"cX9c7ngnOF/xwIn8IT0CIQCRNJVZ3YcJoXFuOCdUid8qOqdatCDkV8TQNxXxPVSc\n"\
"awIgR1fIMXl7NAKoZK8xeyIRuG7oNj8qWhNMtTSvDyNqk2UCIGgVWi0ldwN3Pviz\n"\
"tbWKcnYxvv5sedtT8pcRtV/MB5drAiBZSqkW9Ha37EObdrctWBvBvHtUp8k9XOy6\n"\
"1X0wxUy5BQ==\n"\
"-----END PRIVATE KEY-----\n";
const char *cert = "-----BEGIN CERTIFICATE-----\n"\
"MIIB2jCCAYSgAwIBAgIIU3U2E0/GMUowDQYJKoZIhvcNAQELBQAwGjEYMBYGA1UE\n"\
"AwwPU3RyYWlnaHQgUm9vdENBMB4XDTIwMTExNTAwMDAwMFoXDTQwMTExNTAwMDAw\n"\
"MFowGjEYMBYGA1UEAwwPU3RyYWlnaHQgU2VydmVyMFwwDQYJKoZIhvcNAQEBBQAD\n"\
"SwAwSAJBAIQ9BSjXR/dXPFYrNE z5Ytxq2/gTOcQNVf4jUxnq VksCZQGm pSejT\n"\
"Ye0deQFzju1zgzrOfIpJhKoFosGnEH8CAwEAAaOBrTCBqjBJBgNVHSMEQjBAgBSD\n"\
"hOKzs 3Mo56OeliOMM0gQZgafKEepBwwGjEYMBYGA1UEAwwPU3RyYWlnaHQgUm9v\n"\
"dENBgghnEtSASbZ0HDAdBgNVHQ4EFgQUGroKNtRTXQ7nxeYSQlZq35oVQDQwDAYD\n"\
"VR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNVHREEFDASggZzZXJ2\n"\
"ZXKCCHN0cmFpZ2h0MA0GCSqGSIb3DQEBCwUAA0EAO02jJwxokR4CeA8DDJqp/9Qk\n"\
"0dim// cjVTjxqIgUS5ykNW2CAIRuP5rVyzNv6U02F0q92Vs/754/ep TyT70w==\n"\
"-----END CERTIFICATE-----\n";
CodePudding user response:
The output from openssl x509 -text -in cert.pem
on your certificate shows:
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (512 bit)
Modulus:
00:84:3d:05:28:d7:47:f7:57:3c:56:2b:34:4f:b3:
512 bit RSA is terrible weak since years. That's what the program is complaining about. You need to create the certificate with a stronger key, like at least 2048 bit RSA.