Move SSL cipher string configuration before loading the certification chain #676
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
After upgrading to the recent release of Python 3.10 connection to brokers with previous generation self-signed SSL keys no longer work, when connecting, the SSL library throws an error:
ssl.SSLError: [SSL: CA_MD_TOO_WEAK] ca md too weak
Changing the broker keys in some use cases may not be possible. The most used workaround I found online was to configure the openssl library in the OS/Docker image level to drop the security level globally and allow weak keys to be used, with solutions such as
RUN sed -i 's/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/' /etc/ssl/openssl.cnf
. I find this inappropriate for the sake of a single connection in the system.The obvious solution is that when configuring SSL for the paho-mqtt client connection, the
client.tls_set()
method allows cipher strings to be defined for the context. Using the cipher stringDEFAULT@SECLEVEL=1
should have the same effect as when being configured globally as above, however, I found that the exception was still raised.After some investigation I found that in the
client.tls_set()
method the cipher string is added to the SSL context as a very last step, after the key chain is loaded into the context. When the keys are being loaded, the SSL library throws the exception and the program flow never arrives to the cipher configuration which would allow those weak keys to be used.This PR moves the cipher string configuration to the beginning of the context configuration process, so all subsequent context configuration will respect any cipher strings specification.
Signed-off-by: Mate Szabo [email protected]