LOC-28: Flask Adhoc mode broken on Debian 9 - CA_MD_TOO_WEAK

Issue Information

Issue Type: Bug
 
Priority: Major
Status: Closed

Reported By:
Ben Tasker
Assigned To:
Ben Tasker
Project: LocalChat (LOC)
Resolution: Fixed (2018-06-29 09:59:33)
Affects Version: v0.0.1a, V0.0.2,
Target version: v0.0.2.1,
Components: Encryption ,

Created: 2018-06-29 08:39:18
Time Spent Working


Description
When trying to start the server on Debian Stretch (9) we get an exception 
root@debian9:/usr/local/src/localchat# ./LocalChat.py 
 * Running on https://127.0.0.1:8090/ (Press CTRL+C to quit)
 * Restarting with stat
 * Debugger is active!
 * Debugger pin code: 306-782-022
Exception in thread Thread-3:
Traceback (most recent call last):
  File "/usr/lib/python2.7/threading.py", line 801, in_ _bootstrap_inner
    self.run()
  File "/usr/lib/python2.7/threading.py", line 754, in run
    self.__target(*self.__args, **self.__kwargs)
  File "/usr/lib/python2.7/dist-packages/werkzeug/serving.py", line 670, in inner
    fd=fd)
  File "/usr/lib/python2.7/dist-packages/werkzeug/serving.py", line 564, in make_server
    passthrough_errors, ssl_context, fd=fd)
  File "/usr/lib/python2.7/dist-packages/werkzeug/serving.py", line 500, in __init_ _
    self.socket = ssl_context.wrap_socket(sock, server_side=True)
  File "/usr/lib/python2.7/dist-packages/werkzeug/serving.py", line 422, in wrap_socket
    ssl_version=self._protocol, **kwargs)
  File "/usr/lib/python2.7/ssl.py", line 943, in wrap_socket
    ciphers=ciphers)
  File "/usr/lib/python2.7/ssl.py", line 554, in_ _init_ _
    self._context.load_cert_chain(certfile, keyfile)
SSLError: [SSL: CA_MD_TOO_WEAK] ca md too weak (_ssl.c:2699)


flask is called in adhoc mode so should be generating the cert on the fly, it looks like it's using an older message digest when doing so though.


Toggle State Changes

Activity


2018-06-29 08:51:14
OK, we're running OpenSSL 1.1.0: 
root@debian9:/usr/local/src/localchat# openssl version
OpenSSL 1.1.0f  25 May 2017


Which is more or less when they started refusing some digests.

Although it's a result of starting flask the issue itself lies in werkzeug as that's what's used to generate the certificate, so first thing to do is probably look for a bug report on their tracker. Package was only installed this morning, so it should be as fresh as it can be in the Debian repos (I'd rather not go out of band if possible)

2018-06-29 08:59:24
OK, this looks to be an issue with the packaged version in the apt repos. Removing that (and losing flask as it depends on it) and then installing with pip works: 
apt-get remove python-werkzeug
pip install werkzeug
pip install flask

root@debian9:/usr/local/src/localchat# ./LocalChat.py 
 * Serving Flask app "LocalChat" (lazy loading)
 * Environment: production
   WARNING: Do not use the development server in a production environment.
   Use a production WSGI server instead.
 * Debug mode: on
 * Running on https://127.0.0.1:8090/ (Press CTRL+C to quit)
 * Restarting with stat
 * Debugger is active!
 * Debugger PIN: 100-646-584

2018-06-29 09:58:58
btasker added 'v0.0.2.1' to Fix Version

2018-06-29 09:58:58
btasker removed 'V0.0.3' from Fix Version

2018-06-29 09:59:34
The only viable solution for this, then, is not to use Debian's package and to install via Pip instead. Will make sure the ansible playbooks do exactly that.

2018-06-29 09:59:34
btasker changed status from 'Open' to 'Resolved'

2018-06-29 09:59:34
btasker added 'Fixed' to resolution

2018-06-29 09:59:37
btasker changed status from 'Resolved' to 'Closed'