Closed Bug 1089390 Opened 10 years ago Closed 10 years ago

[PulseGuardian] SSL errors running in dev mode without --fake-account

Categories

(Webtools :: Pulse, defect, P2)

Product:
Webtools
Component:
Pulse
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mcote, Unassigned)

Details

I'm getting SSL errors running web.py (without --fake-account).  It was working fine before, so I don't know what changed; it's not related to the fake-account feature from bug 1073348 since I could reproduce it before I merged that feature in.

In Firefox release (33.0.1) I get this error when navigating to https://localhost:5000:

Secure Connection Failed

An error occurred during a connection to localhost:5000. The key does not support the requested operation. (Error code: sec_error_invalid_key)

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

In Nightly 36.0a1 (2014-10-26) I get a slightly different, more informative error:

Secure Connection Failed

An error occurred during a connection to localhost:5000. The server presented a certificate with a key size that is too small to establish a secure connection. (Error code: mozilla_pkix_error_inadequate_key_size)

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

So maybe this can be fixed by just bumping up the key size.
It seems that in the current version of werkzeug, the certificate-generation code use 768 bits.  It appears this is no longer accepted as a valid certificate by Firefox (and I think other browsers, thanks to Poodle).

I can monkey-patch this until werkzeug is updated.
Unrelated, I actually never tried running the dev server in Python 2.6 (since it's run through WSGI on the Python-2.6 production, with SSL being provided by Zeus), but I found that pyOpenSSL 0.14 doesn't work with Python 2.6.  It was fixed[1] back in April but there hasn't been a release since.  Installing from master works, though, so we can update the docs appropriately.

[1] https://github.com/pyca/pyopenssl/commit/8e41d02c980c8f4b2432096a5cf8c9459b8fc790
https://github.com/mozilla/pulseguardian/commit/e1475345e7743ce2af6a33351d063bae51b1265c
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.