Generated SSL cert is too old for Firefox 33+

[danielquinn]

So with version 33, Firefox did something rather annoying, they now use a more restrictive library that rejects connections to servers running older versions of SSL. On the one hand, this is pretty awesome because at some point we all need to grow up and start using modern encryption, but on the other, it can make development really difficult when all you really need a an SSL setup -- any SSL setup to make your local development environment Just Work.

We've been using django-extenstion's runserver_plus feature, which is awesome because it includes a browser-based debugger and other really cool stuff, but also importantly, it supports the ability for you to run the Django runserver in SSL mode. This means that you can do stuff like:

./manage.py runserver_plus --cert=/tmp/temporary.cert

And that's enough for you to be able to access your site over SSL:

https://localhost:8000/

However, now that Firefox has thrown this monkeywrench into things, we spent far too much time today trying to figure out what was wrong and how to fix it, so I'm posting the answer here:

Basically, you just need a better cert than the one django-extensions creates for you automatically.

So, instead of just running --cert=/path/to/file and letting runserver_plus create it for you, you should run openssl yourself to create the cert and then point runserver_plus to it:

$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/temporary-cert.key -out /tmp/temporary-cert.crt
$ ./manage.py runserver_plus --cert=/tmp/temporary-cert.crt

Of course, you can locate temporary-cert.* wherever you like, but you get the idea.

There's a Reddit discussion on this as well if you're interested.

[untitaker]

I think that is a direct result of the disclosed SSL 3 vulnerabilities. Not really sure to what to set it now.

[danielquinn]

Well the openssl bit I put above appears to do the job for me in Firefox 33 (Gentoo Linux). Would it not be enough to just substitute that?

[untitaker]

IMO we should support more browsers than just the latest Firefox.

[danielquinn]

Well of course, but would this not still work for most browsers? Alternatively, there could be a flag passed for older versions. Something like:

$ ./manage.py runserver_plus --ssl1 --cert=/path/to/cert

... Or something like that.

[untitaker]

Adding a parameter is the task of the Django extension, not Werkzeug. I don't know what would work in most browsers.

[danielquinn]

Well of course it is, but that command line option would have to translate to an internal keyword arg right?

[markrcote]

I just ran into this problem using flask to serve over https in an adhoc dev environment. Firefox 33 and later specifically rejects small keys. Monkey-patching werkzeug.serving.generate_adhoc_ssl_pair to use 1024 bits instead of 768 fixed the problem. I can make a pull request if necessary, though it's a very simple fix.

[untitaker]

Just fixed this in master, will be released in 0.10.