-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Generated SSL cert is too old for Firefox 33+ #611
Comments
I think that is a direct result of the disclosed SSL 3 vulnerabilities. Not really sure to what to set it now. |
Well the openssl bit I put above appears to do the job for me in Firefox 33 (Gentoo Linux). Would it not be enough to just substitute that? |
IMO we should support more browsers than just the latest Firefox. |
Well of course, but would this not still work for most browsers? Alternatively, there could be a flag passed for older versions. Something like: $ ./manage.py runserver_plus --ssl1 --cert=/path/to/cert ... Or something like that. |
Adding a parameter is the task of the Django extension, not Werkzeug. I don't know what would work in most browsers. |
Well of course it is, but that command line option would have to translate to an internal keyword arg right? |
I just ran into this problem using flask to serve over https in an adhoc dev environment. Firefox 33 and later specifically rejects small keys. Monkey-patching werkzeug.serving.generate_adhoc_ssl_pair to use 1024 bits instead of 768 fixed the problem. I can make a pull request if necessary, though it's a very simple fix. |
Just fixed this in master, will be released in 0.10. |
So with version 33, Firefox did something rather annoying, they now use a more restrictive library that rejects connections to servers running older versions of SSL. On the one hand, this is pretty awesome because at some point we all need to grow up and start using modern encryption, but on the other, it can make development really difficult when all you really need a an SSL setup -- any SSL setup to make your local development environment Just Work.
We've been using django-extenstion's
runserver_plus
feature, which is awesome because it includes a browser-based debugger and other really cool stuff, but also importantly, it supports the ability for you to run the Djangorunserver
in SSL mode. This means that you can do stuff like:And that's enough for you to be able to access your site over SSL:
However, now that Firefox has thrown this monkeywrench into things, we spent far too much time today trying to figure out what was wrong and how to fix it, so I'm posting the answer here:
Basically, you just need a better cert than the one
django-extensions
creates for you automatically.So, instead of just running
--cert=/path/to/file
and lettingrunserver_plus
create it for you, you should runopenssl
yourself to create the cert and then pointrunserver_plus
to it:Of course, you can locate
temporary-cert.*
wherever you like, but you get the idea.There's a Reddit discussion on this as well if you're interested.
The text was updated successfully, but these errors were encountered: