django-push-notifications icon indicating copy to clipboard operation
django-push-notifications copied to clipboard

Published 20 hours ago verified publisher icon jazzband

CA_MD_TOO_WEAK for APNS devices

Open mhsiddiqui opened this issue 5 years ago • 11 comments

I am getting following error while sending push notification to APNS devices.

[SSL: CA_MD_TOO_WEAK] ca md too weak (_ssl.c:3503)

mhsiddiqui avatar Oct 26 '19 11:10 mhsiddiqui

Try editing /etc/ssl/openssl.cnf and setting the following value to 1 (the default is 2 on many newer systems, I believe).

CipherString = DEFAULT@SECLEVEL=1

a2f0 avatar Nov 04 '19 20:11 a2f0

@mhsiddiqui did this fix it? Having the same issue here.

ekimia avatar Nov 06 '19 20:11 ekimia

@ekimia I just found a way to avoid this error. This error was occuring due to latest version of OpenSSL. I was using docker and I had to downgrade OpenSSL version in order to avoid this error. You can use this (http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_1.1.1-1ubuntu2.1~18.04.4_amd64.deb) version as I am using the same.

mhsiddiqui avatar Nov 07 '19 06:11 mhsiddiqui

Try editing /etc/ssl/openssl.cnf and setting the following value to 1 (the default is 2 on many newer systems, I believe).

CipherString = DEFAULT@SECLEVEL=1

I think many of us run dev environment on MacOS or in docker so this solution is not universal and does not cover MacOS as there's no such line in openssl.cnf file there. The root of this problem has to be fixed or explained under issue in pyapns2 issue, so I'd suggest we move this thread there, as this issue occures in several other apns-related projects.

captain-fox avatar Mar 25 '20 19:03 captain-fox

Same issue here. Has anyone fixed this?

aaronn avatar Jun 13 '20 09:06 aaronn

Psst. no problem on alpine :)

dimaqq avatar Jul 13 '20 10:07 dimaqq

@aaronn and everyone - use the new token based method which is better anyways (no more cert expiration!) https://developer.apple.com/documentation/usernotifications/setting_up_a_remote_notification_server/establishing_a_token-based_connection_to_apns

ekimia avatar Jul 15 '20 18:07 ekimia

@aaronn and everyone - use the new token based method which is better anyways (no more cert expiration!) https://developer.apple.com/documentation/usernotifications/setting_up_a_remote_notification_server/establishing_a_token-based_connection_to_apns

Better is subjective: the JWT allows access to all the apps on your account (team), both prod and staging. Client certificates are more granular.

dimaqq avatar Jul 16 '20 05:07 dimaqq

@dimaqq is right. But at the same time, I doubt apple will go and fix this issue given Apple.

ekimia avatar Jul 17 '20 22:07 ekimia

I'm using python:3.8-slim-buster docker Image I solved it with

RUN echo "patching open ssl"
RUN cp /etc/ssl/openssl.cnf /app/openssl.cnf
RUN chmod 777 /app/openssl.cnf
RUN sed -i "s/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/g" /app/openssl.cnf
ENV OPENSSL_CONF=/app/openssl.cnf

I hope it will help somebody

andrewkoltsov avatar Apr 29 '21 09:04 andrewkoltsov

I'm using python:3.8-slim-buster docker Image I solved it with

RUN echo "patching open ssl"
RUN cp /etc/ssl/openssl.cnf /app/openssl.cnf
RUN chmod 777 /app/openssl.cnf
RUN sed -i "s/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/g" /app/openssl.cnf
ENV OPENSSL_CONF=/app/openssl.cnf

I hope it will help somebody

I made it a bit shorter just adding the necessary line, instead of copying the whole config:

RUN echo "CipherString=DEFAULT@SECLEVEL=1" >> /etc/ssl/openssl.cnf

This means the CipherString is changed globally though, so use with care.

gdvalderrama avatar Nov 29 '21 16:11 gdvalderrama