Weak DH key on rdap.arin.net

Question

Weak DH key on rdap.arin.net

Closed this issue 4 years ago · 11 comments

Hello, I've been working around an issue with ARINs SSL/TLS configuration for quite a while now. They seem to have an unusually small DH key that OpenSSL will no longer work with. I get the error:

requests.exceptions.SSLError: SOCKSHTTPSConnectionPool(host='rdap.arin.net', port=443): Max retries exceeded with url: /registry/ip/1.1.1.1/32 (Caused by SSLError(SSLError(1, '[SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:1056)')))

I'm working around this using a custom adapter for requests that disables EDH (but still permits ECDHE) and will send a PR in a few minutes if you're interested in merging it

Am I really the only one with this issue?

Thanks

Answer 1 · 2020-10-20T02:52:30.000Z

Hrm, seems like a problem to report to them. :) Thanks, will look into this.

Answer 2 · 2020-10-20T18:46:52.000Z

Good point actually, I kind of jumped into working around it before I even bothered to contact ARIN.. I'll shoot them a note and see if there is any reason their SSL config is so moribund.. maybe they'll fix it, regenerating the DH params shouldn't be impacting on their side.. I'll let you know if they resolve it on their side

Answer 3 · 2020-10-20T21:43:14.000Z

@mzpqnxow great, thanks. Your PR looks good, but I'm a bit hesitant to include something like that into the code unless they won't update their servers. I'm happy to send a message as well or feel free to cc me (grizz@20c.com) on the email.

Thanks!

Answer 4 · 2020-11-03T15:47:25.000Z

This is fixed for me, please re-open if you're still seeing it and we can look further.

Answer 5 · 2020-11-03T16:11:15.000Z

@grizz The issue persists for me using master (and trying from PyPi just to be sure)

What OS/distribution are you on? The issue is ultimately caused by a hard-coded check in openssl that was added 3 or 4 years ago- so my guess is that either your distribution/OS is patching this out of OpenSSL, or maybe your platform's Python doesn't use OpenSSL? Just thinking out loud about what else might cause the different behavior- unless maybe you're querying a non-ARIN IP address/network?

I used a random IP that falls under ARIN space- 161.161.161.161

(venv) $ pip uninstall rdap 
...
(venv) $ pip install  'git+https://github.com/20c/rdap'
...
(venv) $ $VIRTUAL_ENV/bin/rdap 161.161.161.161
Traceback (most recent call last):
  File "/home/test/venv/lib/python3.7/site-packages/urllib3/connectionpool.py", line 677, in urlopen
    chunked=chunked,
  File "/home/test/venv/lib/python3.7/site-packages/urllib3/connectionpool.py", line 381, in _make_request
    self._validate_conn(conn)
  File "/home/test/venv/lib/python3.7/site-packages/urllib3/connectionpool.py", line 978, in _validate_conn
    conn.connect()
  File "/home/test/venv/lib/python3.7/site-packages/urllib3/connection.py", line 371, in connect
    ssl_context=context,
  File "/home/test/venv/lib/python3.7/site-packages/urllib3/util/ssl_.py", line 386, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3.7/ssl.py", line 412, in wrap_socket
    session=session
  File "/usr/lib/python3.7/ssl.py", line 853, in _create
    self.do_handshake()
  File "/usr/lib/python3.7/ssl.py", line 1117, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:1056)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/test/venv/lib/python3.7/site-packages/requests/adapters.py", line 449, in send
    timeout=timeout
  File "/home/test/venv/lib/python3.7/site-packages/urllib3/connectionpool.py", line 727, in urlopen
    method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2]
  File "/home/test/venv/lib/python3.7/site-packages/urllib3/util/retry.py", line 446, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='rdap.arin.net', port=443): Max retries exceeded with url: /registry/ip/161.161.161.161/32 (Caused by SSLError(SSLError(1, '[SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:1056)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/test/venv/bin/rdap", line 8, in <module>
    sys.exit(main())
  File "/home/test/venv/lib/python3.7/site-packages/rdap/__main__.py", line 68, in main
    obj = client.get(each)
  File "/home/test/venv/lib/python3.7/site-packages/rdap/client.py", line 155, in get
    return self.get_ip(address.ip)
  File "/home/test/venv/lib/python3.7/site-packages/rdap/client.py", line 214, in get_ip
    return RdapNetwork(self._get(url).json(), self)
  File "/home/test/venv/lib/python3.7/site-packages/rdap/client.py", line 109, in _get
    res = self.http.get(url, timeout=self.timeout)
  File "/home/test/venv/lib/python3.7/site-packages/requests/sessions.py", line 543, in get
    return self.request('GET', url, **kwargs)
  File "/home/test/venv/lib/python3.7/site-packages/requests/sessions.py", line 530, in request
    resp = self.send(prep, **send_kwargs)
  File "/home/test/venv/lib/python3.7/site-packages/requests/sessions.py", line 665, in send
    history = [resp for resp in gen]
  File "/home/test/venv/lib/python3.7/site-packages/requests/sessions.py", line 665, in <listcomp>
    history = [resp for resp in gen]
  File "/home/test/venv/lib/python3.7/site-packages/requests/sessions.py", line 245, in resolve_redirects
    **adapter_kwargs
  File "/home/test/venv/lib/python3.7/site-packages/requests/sessions.py", line 643, in send
    r = adapter.send(request, **kwargs)
  File "/home/test/venv/lib/python3.7/site-packages/requests/adapters.py", line 514, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='rdap.arin.net', port=443): Max retries exceeded with url: /registry/ip/161.161.161.161/32 (Caused by SSLError(SSLError(1, '[SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:1056)')))

Let me go check my inbox and see if I've heard anything back from ARIN...

Answer 6 · 2020-11-03T16:35:47.000Z

FWIW- curl has the same issue, though wget doesn't- for whatever reason, Debian decided to link wget with gnutls and curl with OpenSSL ... I'm following up with ARIN, either way this ticket can stay the way it is as I don't think the PR is the right way to go. This ultimately needs to be addressed on the ARIN side ..

Answer 7 · 2020-11-03T17:11:32.000Z

Strange, I've tried on CentOS 7, 8, Fedora -- running tox tests against ubuntu now as well.

PR could be an option in the config that's not on by default I think, I'll take another look if ARIN doesn't respond.

Answer 8 · 2021-01-24T05:33:12.000Z

@anewton1998 any insight on this?

Answer 9 · 2021-01-24T11:41:07.000Z

Does this solve the issue? https://www.arin.net/announcements/20201221-updates/

Answer 10 · 2021-01-25T11:22:24.000Z

@anewton1998 ohhh, I think it does, thank you!

Answer 11 · 2021-02-06T23:36:06.000Z

Ah, perfect. I never heard back (I sent an email Nov 3) but looks like they’re stepping into the modern era. No needy for hacky ECDH adaptors anymore .. one less line in constraints.txt ;)