Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SSL: DH_KEY_TOO_SMALL] dh key too small #25020

Open
xmstspider opened this issue Apr 26, 2020 · 3 comments
Open

[SSL: DH_KEY_TOO_SMALL] dh key too small #25020

xmstspider opened this issue Apr 26, 2020 · 3 comments

Comments

@xmstspider
Copy link

@xmstspider xmstspider commented Apr 26, 2020

Checklist

  • I'm reporting a broken site support issue
  • I've verified that I'm running youtube-dl version 2020.03.24
  • I've checked that all provided URLs are alive and playable in a browser
  • I've checked that all URLs and arguments with special characters are properly quoted or escaped
  • I've searched the bugtracker for similar bug reports including closed ones
  • I've read bugs section in FAQ

Verbose log

youtube-dl --verbose https://www.ceskatelevize.cz/porady/11571031751-anatomie-zrady/219512120010001/
[debug] System config: []
[debug] User config: []
[debug] Custom config: []
[debug] Command-line args: ['--verbose', 'https://www.ceskatelevize.cz/porady/11571031751-anatomie-zrady/219512120010001/']
[debug] Encodings: locale UTF-8, fs utf-8, out utf-8, pref UTF-8
[debug] youtube-dl version 2020.03.24
[debug] Python version 3.8.2 (CPython) - Linux-5.4.0-26-generic-x86_64-with-glibc2.29
[debug] exe versions: ffmpeg 4.2.2, ffprobe 4.2.2, phantomjs 2.1.1, rtmpdump 2.4
[debug] Proxy map: {}
[CeskaTelevizePorady] 219512120010001: Downloading webpage
ERROR: Unable to download webpage: <urlopen error [SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:1108)> (caused by URLError(SSLError(1, '[SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:1108)')))
  File "/home/xzdse/.local/lib/python3.8/site-packages/youtube_dl/extractor/common.py", line 627, in _request_webpage
    return self._downloader.urlopen(url_or_request)
  File "/home/xzdse/.local/lib/python3.8/site-packages/youtube_dl/YoutubeDL.py", line 2238, in urlopen
    return self._opener.open(req, timeout=self._socket_timeout)
  File "/usr/lib/python3.8/urllib/request.py", line 525, in open
    response = self._open(req, data)
  File "/usr/lib/python3.8/urllib/request.py", line 542, in _open
    result = self._call_chain(self.handle_open, protocol, protocol +
  File "/usr/lib/python3.8/urllib/request.py", line 502, in _call_chain
    result = func(*args)
  File "/home/xzdse/.local/lib/python3.8/site-packages/youtube_dl/utils.py", line 2726, in https_open
    return self.do_open(functools.partial(
  File "/usr/lib/python3.8/urllib/request.py", line 1322, in do_open
    raise URLError(err)

Description

This should be already fixed in #22335 but I came back after upgrading Ubuntu 19.10 to 20.04. I tested Youtube to verify but it seems to be related to this site only. Since this issue is not present when browsing the site, there must be a way to to convince youtube-dl to accept weak DH keys.

@webdevelopers-eu
Copy link

@webdevelopers-eu webdevelopers-eu commented Apr 29, 2020

I had the same problem and I noticed that CURL throws the same error during testing.

curl "https://www.ceskatelevize.cz/ivysilani/1097181328-udalosti/220411000100429/obsah/765028-posileni-pravomoci-ministra-zdravotnictvi"
curl: (35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

The temporary workaround for me was to edit /etc/ssl/openssl.cnf and comment out CipherString = DEFAULT@SECLEVEL=2

Then it started working.

The issue seems to be with Česká Televize website. It supports weak Diffie-Hellman (DH) key exchange parameters - a vulnerability described here: https://weakdh.org/

WGET works just fine. I tried to use --external-downloader wget with no luck. It seems that for probe requests it does not use downloader indicated on command line. I consider this to be a bug.

@xmstspider
Copy link
Author

@xmstspider xmstspider commented Apr 30, 2020

The temporary workaround for me was to edit /etc/ssl/openssl.cnf and comment out CipherString = DEFAULT@SECLEVEL=2

Hmm I don't have this line in my Ubuntu 20.04

@webdevelopers-eu
Copy link

@webdevelopers-eu webdevelopers-eu commented Apr 30, 2020

If it is not there, you can try adding CipherString = DEFAULT@SECLEVEL=1 to [system_default_sect] section. See level descriptions https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_get_security_level.html

Just make sure you edit the right location, run openssl version -d.

Same issue for ubuntu here with tip how to do it without modification of system-wide config: https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.