Software & AppsOperating SystemLinux

How To Fix “ssl.SSLError: [SSL: DH_KEY_TOO_SMALL] dh key too small” Error in Python on Ubuntu 20.04

Ubuntu 13

The “ssl.SSLError: [SSL: DH_KEY_TOO_SMALL] dh key too small” error is a common issue that developers encounter when trying to establish an SSL connection in Python on Ubuntu 20.04. This error often arises due to the default upstream Debian OpenSSL settings becoming more secure. In this article, we will explore the solutions to fix this error.

Quick Answer

To fix the "ssl.SSLError: [SSL: DH_KEY_TOO_SMALL] dh key too small" error in Python on Ubuntu 20.04, you can try adjusting the ciphers used for the connection or upgrading to a newer version of Ubuntu.

Understanding the Error

Before we dive into the solutions, it’s important to understand the error. This error is triggered when the Diffie-Hellman key used in the SSL handshake process is too small. This can happen when you upgrade from Ubuntu 19.10 to 20.04. The new version of OpenSSL in Ubuntu 20.04 has increased security, which can cause compatibility issues with some older SSL/TLS configurations.

Solution 1: Adjusting the Ciphers

One possible solution is to adjust the ciphers used for the connection. This can be done by creating an SSLContext and setting the CipherString. Here’s an example of how you can do this for a SMTPS connection:

import smtplib
import ssl

connection = smtplib.SMTP(config['Email']['host'] + ':' + config['Email']['port'])
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
context.set_ciphers('DEFAULT@SECLEVEL=1')
connection.starttls(context=context)
connection.login(config['Email']['user'], config['Email']['pw'])
connection.sendmail(config['Email']['sender'], recipients, msg.as_string())
connection.close()

In this code, we’re creating an SSLContext object with the ssl.SSLContext(ssl.PROTOCOL_TLSv1_2) command. The ssl.PROTOCOL_TLSv1_2 parameter specifies the version of the SSL/TLS protocol that should be used. We then use the context.set_ciphers('DEFAULT@SECLEVEL=1') command to set the CipherString to ‘DEFAULT@SECLEVEL=1’, which lowers the security level and allows the use of smaller keys.

Solution 2: Upgrading Ubuntu

Another solution is to upgrade to a newer version of Ubuntu. Some users have reported that upgrading to Ubuntu 20.04.1 resolved the issue for them. You can upgrade Ubuntu by running the following command:

sudo apt-get update
sudo apt-get upgrade

The sudo apt-get update command updates the list of available packages and their versions, but it does not install or upgrade any packages. The sudo apt-get upgrade command actually installs newer versions of the packages you have.

Conclusion

While these solutions can help you resolve the “ssl.SSLError: [SSL: DH_KEY_TOO_SMALL] dh key too small” error, they should be used as a last resort. The ideal solution is to improve the security of the server. However, in some cases, this may not be possible. If you are using urllib3, you can refer to the official urllib3 documentation for adapting the code to work with urllib3. Remember, always keep your system and packages updated to avoid such errors in the future.

What is the cause of the “ssl.SSLError: [SSL: DH_KEY_TOO_SMALL] dh key too small” error?

The error is caused by the Diffie-Hellman key used in the SSL handshake process being too small. This can occur when upgrading from Ubuntu 19.10 to 20.04 due to the increased security settings in the new version of OpenSSL.

How can I adjust the ciphers to fix the error?

To adjust the ciphers, you can create an SSLContext object and set the CipherString. This can be done using the ssl.SSLContext(ssl.PROTOCOL_TLSv1_2) command to create the SSLContext object and the context.set_ciphers('DEFAULT@SECLEVEL=1') command to set the CipherString to ‘DEFAULT@SECLEVEL=1’. This will lower the security level and allow the use of smaller keys.

Can upgrading to a newer version of Ubuntu resolve the error?

Yes, upgrading to a newer version of Ubuntu, such as Ubuntu 20.04.1, has been reported to resolve the issue for some users. You can upgrade Ubuntu by running the sudo apt-get update command followed by the sudo apt-get upgrade command.

Is it recommended to use the solutions mentioned in this article as a last resort?

Yes, it is recommended to use the solutions mentioned in this article as a last resort. Ideally, the server’s security should be improved, but in some cases, that may not be possible. These solutions can help resolve the error, but it’s always important to keep your system and packages updated to avoid such errors in the future.

Leave a Comment

Your email address will not be published. Required fields are marked *