I am using mitmproxy to log the tls 1.2 traffic of an IoT device. The client device that just supports sha1 signature algorithms. If I am using mitmproxy v8.0.0 it works fine. If I update to a newer version, for ex. 9.0.0, I get the following error:
Client TLS handshake failed.
The client may not trust the proxy's certificate for
(OpenSSL Error(\[('SSL routines', 'tls1_set_server_sigalgs', 'no shared signature algorithms')\]))
If I check the communication with wireshark, I see that the sha1 signature algorithms are missing.
mitmproxy v8.0.0 uses beside others following dependencies:
"cryptography>=36,<37",
"pyOpenSSL>=21.0,<22.1",
mitmproxy v9.0.1
"cryptography>=38.0,<38.1",
"pyOpenSSL>=22.1,<22.2",
I already tried to use OpenSSL v1.1.1n by building the cryptography module 38.0.4 myself. (This is the same version used in mitmproxy v8.0.0) But the error still occurs. Thus lowering the pyOpenSSL/cryptography module version breaks mitmproxy v9.0.1 as it is using APIs from the newer module versions already.
If I also rebuild the cryptography module for 8.0.0 I will get the same problem. Maybe something is different with the systems (docker python:3.9-slim-bullseye) OpenSSL?
Is there a way to manipulate the signature algorithms directly? They seem to be either controlled by pyOpenSSL or cryptography, but I have no idea where I could change them, so the client can connect to my mitmproxy server.
The solution is to reconfigure the /etc/ssl/openssl.cnf for a lower SECLEVEL.
Add the following to the beginning:
openssl_conf = default_conf
And change the ending to:
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=1
Same problem as here https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level
If you use the integrated OpenSSL within the cryptography module of python, it seems to have SHA-1 enabled by default. If you use the systems one by building the module yourself, it uses the systems OpenSSL library.