########################################################################################## LOC-28: Flask Adhoc mode broken on Debian 9 - CA_MD_TOO_WEAK ########################################################################################## Issue Type: Bug ----------------------------------------------------------------------------------------- Issue Information ==================== Priority: Major Status: Closed Resolution: Fixed (2018-06-29 09:59:33) Project: LocalChat (LOC) Reported By: btasker Assigned To: btasker Components: - Encryption Affected Versions: - v0.0.1a - V0.0.2 Targeted for fix in version: - v0.0.2.1 Time Estimate: 0 minutes Time Logged: 0 minutes ----------------------------------------------------------------------------------------- Issue Description ================== When trying to start the server on Debian Stretch (9) we get an exception -- BEGIN SNIPPET -- root@debian9:/usr/local/src/localchat# ./LocalChat.py * Running on https://127.0.0.1:8090/ (Press CTRL+C to quit) * Restarting with stat * Debugger is active! * Debugger pin code: 306-782-022 Exception in thread Thread-3: Traceback (most recent call last): File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner self.run() File "/usr/lib/python2.7/threading.py", line 754, in run self.__target(*self.__args, **self.__kwargs) File "/usr/lib/python2.7/dist-packages/werkzeug/serving.py", line 670, in inner fd=fd) File "/usr/lib/python2.7/dist-packages/werkzeug/serving.py", line 564, in make_server passthrough_errors, ssl_context, fd=fd) File "/usr/lib/python2.7/dist-packages/werkzeug/serving.py", line 500, in __init__ self.socket = ssl_context.wrap_socket(sock, server_side=True) File "/usr/lib/python2.7/dist-packages/werkzeug/serving.py", line 422, in wrap_socket ssl_version=self._protocol, **kwargs) File "/usr/lib/python2.7/ssl.py", line 943, in wrap_socket ciphers=ciphers) File "/usr/lib/python2.7/ssl.py", line 554, in __init__ self._context.load_cert_chain(certfile, keyfile) SSLError: [SSL: CA_MD_TOO_WEAK] ca md too weak (_ssl.c:2699) -- END SNIPPET -- flask is called in adhoc mode so should be generating the cert on the fly, it looks like it's using an older message digest when doing so though. ----------------------------------------------------------------------------------------- Activity ========== ----------------------------------------------------------------------------------------- 2018-06-29 08:51:14 btasker ----------------------------------------------------------------------------------------- OK, we're running OpenSSL 1.1.0: -- BEGIN SNIPPET -- root@debian9:/usr/local/src/localchat# openssl version OpenSSL 1.1.0f 25 May 2017 -- END SNIPPET -- Which is more or less when they started refusing some digests. Although it's a result of starting flask the issue itself lies in werkzeug as that's what's used to generate the certificate, so first thing to do is probably look for a bug report on their tracker. Package was only installed this morning, so it should be as fresh as it can be in the Debian repos (I'd rather not go out of band if possible) ----------------------------------------------------------------------------------------- 2018-06-29 08:59:24 btasker ----------------------------------------------------------------------------------------- OK, this looks to be an issue with the packaged version in the apt repos. Removing that (and losing flask as it depends on it) and then installing with pip works: -- BEGIN SNIPPET -- apt-get remove python-werkzeug pip install werkzeug pip install flask root@debian9:/usr/local/src/localchat# ./LocalChat.py * Serving Flask app "LocalChat" (lazy loading) * Environment: production WARNING: Do not use the development server in a production environment. Use a production WSGI server instead. * Debug mode: on * Running on https://127.0.0.1:8090/ (Press CTRL+C to quit) * Restarting with stat * Debugger is active! * Debugger PIN: 100-646-584 -- END SNIPPET -- ----------------------------------------------------------------------------------------- 2018-06-29 09:58:58 ----------------------------------------------------------------------------------------- btasker added 'v0.0.2.1' to Fix Version ----------------------------------------------------------------------------------------- 2018-06-29 09:58:58 ----------------------------------------------------------------------------------------- btasker removed 'V0.0.3' from Fix Version ----------------------------------------------------------------------------------------- 2018-06-29 09:59:34 btasker ----------------------------------------------------------------------------------------- The only viable solution for this, then, is not to use Debian's package and to install via Pip instead. Will make sure the ansible playbooks do exactly that. ----------------------------------------------------------------------------------------- 2018-06-29 09:59:34 ----------------------------------------------------------------------------------------- btasker changed status from 'Open' to 'Resolved' ----------------------------------------------------------------------------------------- 2018-06-29 09:59:34 ----------------------------------------------------------------------------------------- btasker added 'Fixed' to resolution ----------------------------------------------------------------------------------------- 2018-06-29 09:59:37 ----------------------------------------------------------------------------------------- btasker changed status from 'Resolved' to 'Closed'