7

I upgraded my Ubuntu 19.10 to the latest 20.04. After this process, doing HTTP calls passing a certificate gives the following error:

error: Error: [('SSL routines', 'SSL_CTX_use_certificate', 'ca md too weak')]

Executing

openssl x509 -in certificate.pem -noout -text | grep 'Signature Algorithm'

returns the following:

sha1WithRSAEncryption

The OpenSSL version installed is 1.1.1f

Can this behaviour overridden? If not, is it possible to downgrade to a compatible openssl version?

dariofac
  • 1,042
  • It says your message digest (your hash function) is too weak. You need to update your code to use something better than SHA-1. – user4124 Apr 27 '20 at 10:25
  • Related: https://askubuntu.com/questions/1232849/how-do-i-resolve-an-ssl-handshake-error-in-the-snap-store – mankoff May 05 '20 at 14:54
  • I got my curl and wget SSL errors solved by following the instructions here: https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level It did not fix my pip SSL error. – mankoff May 05 '20 at 15:09

1 Answers1

11

I found a solution, according to the accepted answer of this question: Ubuntu 20.04 - how to set lower SSL security level?

In particular, the openSSL configuration file /etc/ssl/openssl.cnf shall be modified in the following way.

At the beginning, add openssl_conf = default_conf

At the end, add

[ default_conf ]

ssl_conf = ssl_sect


[ssl_sect]


system_default = ssl_default_sect


[ssl_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT:@SECLEVEL=0

After this modification, the certificate is recognized without security errors.

dariofac
  • 1,042