如何解决SSL问题SSL_CTX_use_certificate:ca md在Python Zeep上太弱 [英] How to fix SSL issue SSL_CTX_use_certificate : ca md too weak on Python Zeep

问题描述

在我向Frontierlink Web Service发出SOAP请求时，直到出现此错误之前，我的代码一直在工作.

my code was working before until i got this error whenever i make SOAP requests to Frontierlink Web Service.

File "/home/venv/lib/python2.7/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
raise exception_type(errors)

OpenSSL.SSL.Error:[['SSL例程'，'SSL_CTX_use_certificate'，'ca md太弱')]

OpenSSL.SSL.Error: [('SSL routines', 'SSL_CTX_use_certificate', 'ca md too weak')]

我是否需要重新生成我用来连接的pem文件，或者问题出在我用来生成pem文件的.p12文件上?

Do i need to regenerate the pem file that im using to connect or the issue is on the .p12 file that i have used to generate the pem file?

如果您需要有关我的问题的更多信息，请告诉我.

Let me know if you need more info on my issue.

注意:

我正在使用的OpenSSL版本是:OpenSSL 1.0.2k-fips

OpenSSL Version that im using is : OpenSSL 1.0.2k-fips

提前谢谢！

推荐答案

所收到的错误消息表明所使用的证书已使用md5哈希签名.

The error message you are getting indicates that the certificate you are using is signed with an md5 hash.

OpenSSL 1.1.0引入了名为安全级别.
默认设置1会导致以下情况(我强调):

OpenSSL 1.1.0 has introduced a new feature called security level.
The default setting of 1 will cause the following (emphasis by me):

安全级别对应于至少80位的安全性.不提供低于80位安全性的任何参数.结果，禁止短于1024位的RSA，DSA和DH密钥以及短于160位的ECC密钥.禁止所有导出密码套件，因为它们都提供少于80位的安全性.禁止使用SSL版本2. 也禁止使用任何将MD5用于MAC的密码套件.

您可能需要重新生成证书并使用更强的哈希值进行签名，例如SHA1.

You may need to regenerate the certificate and use a stronger hash to sign, for example SHA1.

从论坛帖子中 OpenSSL用户判断>现在可能会出现此问题，因为您尝试连接的服务已升级了他们的OpenSSL版本，并且现在拒绝了您的证书.

Judging from the forum post at OpenSSL Users this problem may be occurring now because the service you are attempting to connect to has upgraded their version of OpenSSL and it is now rejecting your certificate.

这篇关于如何解决SSL问题SSL_CTX_use_certificate:ca md在Python Zeep上太弱的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！