Receiving [SSL: CA_MD_TOO_WEAK] ca md too weak (_ssl.c:3880) error when trying to send push notification. #103
Comments
|
Hi! I never see this error but maybe regenerating certificates will help. |
|
I think I may be messing something up while creating and splitting certificate file into |
|
Hi, I tried to regenerate certificates multiple times but I got the same error. Maybe is the RSA encryption in the certificate instead of the SHA-1 that cause the error, but I don't know how to change it. |
|
I think I have solved it. jazzband/django-push-notifications#532. Editing /etc/ssl/openssl.cnf worked or at least the error has changed. |
Line mentioned in this solution does not exist in MacOS version of OpenSSL configuration file, or at least it's not added automatically during installation with I've made attempts to send push notifications from docker container and MacOS – both fail resulting in error mentioned in the very first post in this issue. |
|
Seeing the same thing, kind of at a loss for what to do about this. |
Use a JWT token instead. |
|
This error has to do with connecting to the APNS service, not authenticating on Django, so JWT tokens aren't part of it? You can't use a JWT token to send a notification to Apple's servers, unless I'm very much mistaken? |
Starting from November 2020 Apple will no longer support cert-based authentication and will only support JWT APNS communication. This will answer your question in more details: Check out this: https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/APNSOverview.html#//apple_ref/doc/uid/TP40008194-CH8-SW1 |
|
Ah! My apologies - and thank you :) |
|
@captain-fox could you elaborate or provide reference for https://developer.apple.com/news/?id=11042019a states that binary protocol will be gone then.
|
Apologies, I misunderstood binary for all kinds of certificates. |
|
@naitik-aubergine noted in the other repo:
|
|
I have described what I believe to be the problem and another potential workaround over on this Ruby APNs library: ostinelli/apnotic#92 (comment) My workaround is more specific for this use case and means you don't need to globally reduce the Security Level for your whole operating system. though I'm not sure how to change the corresponding setting on a Python SSLContext object |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
I have never used APNS before so I'm pretty much in the dark about what's causing this issue, but from the stack trace I can conclude that the error originates from ssl library. Is this somehow fixable locally by using different ssl version (if yes, how?) or maybe it is the bug in the library itself?
Traceback (most recent call last): File "/usr/local/lib/python3.7/site-packages/django/core/handlers/exception.py", line 34, in inner response = get_response(request) File "/usr/local/lib/python3.7/site-packages/django/core/handlers/base.py", line 115, in _get_response response = self.process_exception_by_middleware(e, request) File "/usr/local/lib/python3.7/site-packages/django/core/handlers/base.py", line 113, in _get_response response = wrapped_callback(request, *callback_args, **callback_kwargs) File "/usr/local/lib/python3.7/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view return view_func(*args, **kwargs) File "/usr/local/lib/python3.7/site-packages/django/views/generic/base.py", line 71, in view return self.dispatch(request, *args, **kwargs) File "/usr/local/lib/python3.7/site-packages/rest_framework/views.py", line 505, in dispatch response = self.handle_exception(exc) File "/usr/local/lib/python3.7/site-packages/rest_framework/views.py", line 465, in handle_exception self.raise_uncaught_exception(exc) File "/usr/local/lib/python3.7/site-packages/rest_framework/views.py", line 476, in raise_uncaught_exception raise exc File "/usr/local/lib/python3.7/site-packages/rest_framework/views.py", line 502, in dispatch response = handler(request, *args, **kwargs) File "/code/api/views/views.py", line 65, in get client = APNsClient(key_path, use_sandbox=False, use_alternative_port=False) File "/usr/local/lib/python3.7/site-packages/apns2/client.py", line 56, in __init__ self.__credentials = CertificateCredentials(credentials, password) # type: Credentials File "/usr/local/lib/python3.7/site-packages/apns2/credentials.py", line 37, in __init__ ssl_context = init_context(cert=cert_file, cert_password=password) File "/usr/local/lib/python3.7/site-packages/hyper/tls.py", line 131, in init_context context.load_cert_chain(cert, password=cert_password) ssl.SSLError: [SSL: CA_MD_TOO_WEAK] ca md too weak (_ssl.c:3880)The text was updated successfully, but these errors were encountered: