Python - requests.exceptions.SSLError - dh key too small

Question

I\'m scraping some internal pages using Python and requests. I\'ve turned off SSL verifications and warnings.

requests.packages.urllib3.disable_warnings()
p         


        

Answer 1

I will package my solution here. I had to modify the python SSL library, which was possible since I was running my code within a docker container, but it's something that probably you don't want to do.

1. Get the supported cipher of your server. In my case was a third party e-mail server, and I used script described list SSL/TLS cipher suite

check_supported_ciphers.sh

#!/usr/bin/env bash

# OpenSSL requires the port number.
SERVER=$1
DELAY=1
ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')

echo Obtaining cipher list from $(openssl version).

for cipher in ${ciphers[@]}
do
echo -n Testing $cipher...
result=$(echo -n | openssl s_client -cipher "$cipher" -connect $SERVER 2>&1)
if [[ "$result" =~ ":error:" ]] ; then
  error=$(echo -n $result | cut -d':' -f6)
  echo NO \($error\)
else
  if [[ "$result" =~ "Cipher is ${cipher}" || "$result" =~ "Cipher    :" ]] ; then
    echo YES
  else
    echo UNKNOWN RESPONSE
    echo $result
  fi
fi
sleep $DELAY
done

Give it permissions:

chmod +x check_supported_ciphers.sh

And execute it:

./check_supported_ciphers.sh myremoteserver.example.com | grep OK

After some seconds you will see an output similar to:

Testing AES128-SHA...YES (AES128-SHA_set_cipher_list)

So will use "AES128-SHA" as SSL cipher.

2. Force the error in your code:

   Traceback (most recent call last): File "my_custom_script.py", line 52, in imap = IMAP4_SSL(imap_host) File "/usr/lib/python2.7/imaplib.py", line 1169, in init IMAP4.init(self, host, port) File "/usr/lib/python2.7/imaplib.py", line 174, in init self.open(host, port) File "/usr/lib/python2.7/imaplib.py", line 1181, in open self.sslobj = ssl.wrap_socket(self.sock, self.keyfile, self.certfile) File "/usr/lib/python2.7/ssl.py", line 931, in wrap_socket ciphers=ciphers) File "/usr/lib/python2.7/ssl.py", line 599, in init self.do_handshake() File "/usr/lib/python2.7/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:727)

3. Get the python SSL library path used, in this case:

   /usr/lib/python2.7/ssl.py

4. Edit it:

   cp /usr/lib/python2.7/ssl.py /usr/lib/python2.7/ssl.py.bak

   vim /usr/lib/python2.7/ssl.py

And replace:

_DEFAULT_CIPHERS = (
    'ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:DH+AES256:'
    'ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:RSA+AES:RSA+HIGH:'
    '!aNULL:!eNULL:!MD5:!3DES'
    )

By:

_DEFAULT_CIPHERS = (
    'AES128-SHA'
    )