'weak encryption' on twisted https webserver (no issue before)

testly · September 24, 2020, 7:56pm

Hi all,
searched a lot but did not figure out the reason. I had a https webserver running on my local mac-mini with no noticeable issue months ago, using certbot. But now the same https-web was blocked by Chrome (not secure) and was warned 'weak encryption' by Firefox. (check demo: https://wklytics.com)
The webserver is python twisted, with hostname purchased from no-ip.com (who told me issue is not on their side..). Checked and searched twisted python script, it is using default openssl (not sure this will be the issue or not). Hope some experts could help.

------- standard questions -------------------------
My domain is:
https://wklytics.com
I ran this command:

certbot: started a year ago with no issue,
'certbot certonly --webroot -w xxpath -d wklytics.com'
'certbot renew': shows the current cert is still good

Webserver, python twisted webserver (python 2.7), keycode:

 sslContext = ssl.DefaultOpenSSLContextFactory(
          self.config['https']['ssl_key'],  # Private Key from certbot
          self.config['https']['ssl_cert']  # Certificate from certbot
                 )
 https_factory = Site(https_root)
 reactor.listenSSL(self.config['https']['port'],https_factory, sslContext);
 reactor.run()

It produced this output:
It showed 'weak encryption connection is not secure' in Firefox and blocked in Chrome (i.e. https://wklytics.com). Strangely, this issue was not there when it was started.

My web server is (include version):
python 2.7.14, twisted 19:10.0
The operating system my web server runs on is (include version):
mac-mini: macOS 10.10.5
My hosting provider, if applicable, is:
Hosting on my local mac (I purchase domain name from no-ip.com)
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
bash (python script to run web server)
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
0.26.1

JuergenAuer · September 24, 2020, 8:28pm

Hi @testly

first, your certificate is valid - see https://check-your-website.server-daten.de/?q=wklytics.com#connections

CN=wklytics.com
	01.07.2020
	29.09.2020
expires in 5 days	wklytics.com - 1 entry

But there are some problems:

Your certificate has only the non-www version, so your www version isn't secure and has the wrong certificate. Create one certificate with both domain names
your chain is incomplete - use fullchain.pem instead of cert.pem
your non-www uses Tls.1.0, that's your browser warning
RSAKeyExchange and SHA1 may be a result
Tls.1.2 is missing, that's bad

testly · September 24, 2020, 8:44pm

Thanks,

Your certificate has only the non-www version, so your www version isn't secure and has the wrong certificate. Create one certificate with both domain names
How do I do this with certbot? I thought 'certbot certonly --webroot -w xxpath -d http:wklytics.com' will take care *.wklytics.com as wildcard? Also, if I want to keep 'http://www.wklytics.com' and only wants to run https on 'https://wklytic.com', is this fine with the current setup? or I need to change?
your chain is incomplete - use fullchain.pem instead of cert.pem
Any reference on how to do this? I am ignorant no this.
your non-www uses Tls.1.0, that's your browser warning
RSAKeyExchange and SHA1 may be a result
Tls.1.2 is missing, that's bad
How I should change? Is this related I have both 'http' and 'https' running? but they are using different ports...

danb35 · September 24, 2020, 8:54pm

Why would you expect certbot to add a hostname to your cert that you didn't tell it to add?
The protocol isn't part of the domain name, so it would be -d wylytics.com, not -d http:wklytics.com
You can't get a wildcard cert with HTTP validation (which is the only kind available with the webroot method)

Surely this, as well as the rest of your questions, would be addressed in the documentation for the web server?

JuergenAuer · September 24, 2020, 8:56pm

Your www has an ip address. Oh, it's a different ip address:

Host	Type	IP-Address	is auth.	∑ Queries	∑ Timeout
wklytics.com	A	98.213.145.29 Machesney Park/Illinois/United States (US) - Comcast Cable Communications, LLC Hostname: c-98-213-145-29.hsd1.il.comcast.net	yes	1	0
	AAAA		yes
www.wklytics.com	A	34.198.182.201 Ashburn/Virginia/United States (US) - Amazon.com, Inc. Hostname: ec2-34-198-182-201.compute-1.amazonaws.com	yes	1	0
	AAAA		yes

If you are the only user and if you use the non-www, you can ignore that problem. If there are other users, you don't know if they use the www version. So you should fix that.

Other problems - check the documentation of your system how to change that.

I have no idea how that old

python 2.7.14, twisted 19:10.0

works. And how that works with a Mac.

testly · September 24, 2020, 8:58pm

Hi [quote="danb35, post:4, topic:134472, full:true"]

Why would you expect certbot to add a hostname to your cert that you didn't tell it to add?
You are right. I misunderstood what I did before.
The protocol isn't part of the domain name, so it would be -d wylytics.com, not -d http:wklytics.com
Typo, my fault: this part has no issue, as I did as you did.
You can't get a wildcard cert with HTTP validation (which is the only kind available with the webroot method)

Surely this, as well as the rest of your questions, would be addressed in the documentation for the web server?
[/quote]

Thanks for the information and correction.

testly · September 24, 2020, 9:08pm

I am the only user for those two. The www came too early for other things. It wil involve too much test before change to https. Idea is to migrate this later, after I have one https working.
JuergenAuer, besides the change of python web setup, how other issues can be fixed?

how to use fullchain.pem.
how should I change tls1.0 to tsl1.2? Is this because of my twisted server or other issues.
Thanks

jvanasco · September 24, 2020, 9:17pm

Wow, someone using Twisted Web!

Twisted is a bit overwhelming for experienced developers and serves a niche segment of the Python community. I've been using it for many years, though not for web services in quite some time, but I think I can safely say you're not going to find the help you need here regarding configuring your application/twistd with the right certs. You should be able to find the help you need on Twisted's mailing list though. The problems you're having right now are most likely because recent browser updates are not okay with your SSL implementation in Twisted.

A potential alternative is to run a webserver like Nginx in front of twisted, and have that server configured with the SSL certificates and terminate SSL there. In that scenario, Twisted handles everything as HTTP traffic and you don't have to worry about the SSL configuration there. That option may not be compatible with your application design though. As someone who has written web services in Twisted, I think this is a much better option if it is available to you

testly · September 24, 2020, 9:23pm

Nginx with twisted seems to be cool. Appreciate if you can point out some demo script to test/start with.

testly · September 24, 2020, 9:25pm

By the way, how do you get those status data about the website? Is that from some public site?
As well as the check on my website, it is strange why it is related Amazon? Might want to check it again.
Thanks,

griffin · September 24, 2020, 9:30pm

@testly

Those are tools that @JuergenAuer developed himself and offers at:

JuergenAuer · September 24, 2020, 9:33pm

My answer has a link.

testly · September 24, 2020, 10:16pm

Great tool for checking website.
For the fullchain pem, is this my major cause of warning? or this is optional fix?
I will also try to play around tls1.2 in python + twisted and see.
Thanks,

rg305 · September 24, 2020, 10:42pm

In your code, wherever you used something like: /path/live/site/cert.pem
Try instead using: /path/live/site/fullchain.pem

If you don't know the exact path, try:
certbot certificates
[that will show you plenty about your cert(s)]

jvanasco · September 25, 2020, 12:48am

That may or may not work. It is worth trying, but I would have guarded hopes.

Twisted wraps pyOpenSSL for this, and invokes use_certificate_file (see https://github.com/twisted/twisted/blob/twisted-20.3.0/src/twisted/internet/ssl.py#L117)

pyOpenSSL supports both a use_certificate_file and use_certificate_chain_file. I assume the latter is more applicable. I'm not sure what Twisted devs recommend; I wouldn't be surprised if they subclass and override.

In any event, here's a link to some nginx docs on the proxypass.

testly · September 26, 2020, 3:01am

[quote="jvanasco, post:15, topic:134472, full:true"]

Thanks for suggestion. Just need to write a new class.

use fullchain

from OpenSSL import SSL
class ChainedOpenSSLContextFactory(ssl.DefaultOpenSSLContextFactory):
def init(self, privateKeyFileName, certificateChainFileName,
sslmethod=SSL.SSLv23_METHOD):
"""
@param privateKeyFileName: Name of a file containing a private key
@param certificateChainFileName: Name of a file containing a certificate chain
@param sslmethod: The SSL method to use (best flexibility is SSLv23_METHOD
"""
self.privateKeyFileName = privateKeyFileName
self.certificateChainFileName = certificateChainFileName
self.sslmethod = sslmethod
self.cacheContext()

def cacheContext(self):
    ctx = SSL.Context(self.sslmethod)
    ctx.use_certificate_chain_file(self.certificateChainFileName)
    ctx.use_privatekey_file(self.privateKeyFileName)
    self._context = ctx;
    return;