LOC-28: Flask Adhoc mode broken on Debian 9 - CA_MD_TOO_WEAK

Issue Information

Issue Type: Bug
Priority: Major
Status: Closed

Reported By:
Ben Tasker
Assigned To:
Ben Tasker
Project: LocalChat (LOC)
Resolution: Fixed (2018-06-29 09:59:33)
Affects Version: v0.0.1a, V0.0.2,
Target version: v0.0.2.1,
Components: Encryption ,

Created: 2018-06-29 08:39:18
Time Spent Working

When trying to start the server on Debian Stretch (9) we get an exception
root@debian9:/usr/local/src/localchat# ./LocalChat.py 
 * Running on (Press CTRL+C to quit)
 * Restarting with stat
 * Debugger is active!
 * Debugger pin code: 306-782-022
Exception in thread Thread-3:
Traceback (most recent call last):
  File "/usr/lib/python2.7/threading.py", line 801, in_ _bootstrap_inner
  File "/usr/lib/python2.7/threading.py", line 754, in run
    self.__target(*self.__args, **self.__kwargs)
  File "/usr/lib/python2.7/dist-packages/werkzeug/serving.py", line 670, in inner
  File "/usr/lib/python2.7/dist-packages/werkzeug/serving.py", line 564, in make_server
    passthrough_errors, ssl_context, fd=fd)
  File "/usr/lib/python2.7/dist-packages/werkzeug/serving.py", line 500, in __init_ _
    self.socket = ssl_context.wrap_socket(sock, server_side=True)
  File "/usr/lib/python2.7/dist-packages/werkzeug/serving.py", line 422, in wrap_socket
    ssl_version=self._protocol, **kwargs)
  File "/usr/lib/python2.7/ssl.py", line 943, in wrap_socket
  File "/usr/lib/python2.7/ssl.py", line 554, in_ _init_ _
    self._context.load_cert_chain(certfile, keyfile)
SSLError: [SSL: CA_MD_TOO_WEAK] ca md too weak (_ssl.c:2699)

flask is called in adhoc mode so should be generating the cert on the fly, it looks like it's using an older message digest when doing so though.

Toggle State Changes


OK, we're running OpenSSL 1.1.0:
root@debian9:/usr/local/src/localchat# openssl version
OpenSSL 1.1.0f  25 May 2017

Which is more or less when they started refusing some digests.

Although it's a result of starting flask the issue itself lies in werkzeug as that's what's used to generate the certificate, so first thing to do is probably look for a bug report on their tracker. Package was only installed this morning, so it should be as fresh as it can be in the Debian repos (I'd rather not go out of band if possible)
OK, this looks to be an issue with the packaged version in the apt repos. Removing that (and losing flask as it depends on it) and then installing with pip works:
apt-get remove python-werkzeug
pip install werkzeug
pip install flask

root@debian9:/usr/local/src/localchat# ./LocalChat.py 
 * Serving Flask app "LocalChat" (lazy loading)
 * Environment: production
   WARNING: Do not use the development server in a production environment.
   Use a production WSGI server instead.
 * Debug mode: on
 * Running on (Press CTRL+C to quit)
 * Restarting with stat
 * Debugger is active!
 * Debugger PIN: 100-646-584
btasker added 'v0.0.2.1' to Fix Version
btasker removed 'V0.0.3' from Fix Version
The only viable solution for this, then, is not to use Debian's package and to install via Pip instead. Will make sure the ansible playbooks do exactly that.
btasker changed status from 'Open' to 'Resolved'
btasker added 'Fixed' to resolution
btasker changed status from 'Resolved' to 'Closed'