ssl.SSLError: [SSL: CA_MD_TOO_WEAK] ca md too weak (_ssl.c:3816)

[avion23]

There is a problem with the provided certificate and up to date openssl versions.

python3 ./pmca-gui.py
Loading app list
Found 10 apps
No native drivers available
Using drivers libusb-MSC, libusb-MTP
Looking for Sony devices
Querying mass storage device
Sony DSC is a camera in mass storage mode
Model: ILCE-5100
Product code: 0032827530
Serial number: 03884038
Firmware version: 3.10
Lens: Model 0x12a08019 (Firmware 1.09)
No native drivers available
Using drivers libusb-MSC, libusb-MTP
Looking for Sony devices
Querying mass storage device
Sony DSC is a camera in mass storage mode
Switching to app install mode
Waiting for camera to switch...
Traceback (most recent call last):
File "./pmca-gui.py", line 76, in do
installCommand(appPackage=app.package)
File "/home/avion23/Sony-PMCA-RE/pmca/commands/usb.py", line 294, in installCommand
installApp(device, apkFile, appPackage, outFile, local)
File "/home/avion23/Sony-PMCA-RE/pmca/commands/usb.py", line 61, in installApp
with ServerContext(LocalMarketServer(certFile, config.officialServer)) as server:
File "/home/avion23/Sony-PMCA-RE/pmca/marketserver/server.py", line 68, in init
self.socket = ssl.wrap_socket(self.socket, certfile=certFile)
File "/usr/lib/python3.7/ssl.py", line 1216, in wrap_socket
context.load_cert_chain(certfile, keyfile)
ssl.SSLError: [SSL: CA_MD_TOO_WEAK] ca md too weak (_ssl.c:3816)

The camera switches correctly and waits for the app.

Output of openssl version:
OpenSSL 1.1.1a 20 Nov 2018

[ghost]

got the same problem. As far as I understand it, the certificate, that is shipped with this tool, is doesn't satisfy modern openssl minimum requirements.

Solution: downgrade your openssl version to 1.0.1 or older and restart the tool. Works fine then.

[kai3341]

I know it's much better to use another certificate but sometimes there is no choise:

ctx = ssl.SSLContext()
ctx.set_ciphers('ALL:@SECLEVEL=0')

I know it's very rude solution. Use it as start point

[fedjo]

@matthias-mo workaround could be a solution, but downgrading it on my systems requires a lot of dependant packages to be updated as well.

I tried the 'ugly' solution from @kai3341 by adding these lines on the ssl.py lib.
The problem seems at first sight to be passed but when the GUI app tries to upload the app at the camera I get the following stack trace:

Traceback (most recent call last):
  File "pmca-gui.py", line 57, in do
    infoCommand()
  File "/home/lebowski/Sony-PMCA-RE/pmca/commands/usb.py", line 238, in infoCommand
    info = installApp(device)
  File "/home/lebowski/Sony-PMCA-RE/pmca/commands/usb.py", line 87, in installApp
    raise Exception('Communication error %d: %s' % (result.code, result.message))
Exception: Communication error 201: Error completed (SSL error)

Screenshot

A more permanent solution wouldn't be to update the localtest.me.pem certificate?

[pantierra]

Having the same issue as described in the initial thread, when running it from the repository and on linux. Wasn't able to proceed at all. Any help would be appreciated. Downgrading is not an option, because of many packages having dependencies with openssl.

Using one of the packed released binaries for Windows it worked fine.

[slohse]

I got as far as @fedjo by replacing the contents of certs/localtest.me.pem with the privkey and fullchain of a Lets Encrypt Cert that I have access to. But now I'm stuck as well.

[ma1co]

Can you try replacing the certificate with this file? localtest.me.pem.txt (remove the .txt extension)

[slohse]

Yields the same error.

Also, when I struggled with this initially a few days ago, I poked around a bit with pdb and it seems to me, that the camera closes the connection. I could be wrong, though, I did not dig into this thoroughly, as I found another solution (see below). Could it be something like that the newer openssl defaults to not offering some older SSL/TLS version that the camera requires?

In the end I installed Ubuntu 14.04 on a USB stick and put a modern Python 3 on there using Conda. That worked, but it is kind of inconvenient to boot into an entirely different OS :)

[ma1co]

Which linux distribution are you using?

[slohse]

Debian unstable, probably not the best for reproduceability 😬

[ma1co]

This should be fixed now.

[slohse]

I can confirm that it works now.

Awesome, thank you!

[fedjo]

Thanks @ma1co

[davepee]

For me with new certificate still the same problem: Exception: Communication error 201: Error completed (SSL error).
localtest.me.pem.txt is not solution.

[c1ko]

You can use a Fedora 28 Live System. It has Python 3.6 (new enough) and openssl 1.1.0h (old enough) to work. Only thing you need to install is python3-tkinter and the dependencies via pip3 install -r requirements.txt.

[ma1co]

In 9ab9dbe, I have switched to tlslite-ng, now it should defininitely be fixed.