SSL Error since HA 2022.7 update. SSL: DH_KEY_TOO_SMALL

[jdenver13]

My pyscript script has been running fine till the Home Assistant update 2022.7.0.
This is the error message that come up.

This error originated from a custom integration.

Logger: custom_components.pyscript.file.rubish.rubbish_day
Source: custom_components/pyscript/eval.py:480
Integration: Pyscript Python scripting (documentation, issues)
First occurred: 11:46:32 am (1 occurrences)
Last logged: 11:46:32 am

Exception in <file.rubish.rubbish_day> line 28: raw_html = task.executor(requests.get, url) ^ SSLError: HTTPSConnectionPool(host='apps.castlepoint.gov.uk', port=443): Max retries exceeded with url: /cpapps/index.cfm?roadID=2757&fa=wastecalendar.displayDetails (Caused by SSLError(SSLError(1, '[SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:997)')))

Was wondering if anyone has any ideas on how to solve this or what I could try.

Thank you.

[jdenver13]

I have found old threads with similar errors and they mention downgrading the SSL security by changing the CipherString from DEFAULT@SECLEVEL=2 to DEFAULT@SECLEVEL=1 in the /etc/ssl/openssl.cnf file, I have looked into this but cant see any reference to CipherString = DEFAULT@SECLEVEL=2 in the file plus I am not happy with downgrading the security level.

Are there any other options open to try?

[mbbush]

I'm generally not a fan of downgrading the security either, but the issue here is with the apps.castlepoint.gov.uk server. Whatever it's using for SSL doesn't use algorithms or key sizes that are considered secure by modern standards. The upgrade to HA 2022.7 updated the definition of "modern standards" enforced by HA (probably because that release upgraded from python 3.9 to 3.10).

When I try to connect to that same url using a modern curl with default settings, I get the same error:

curl -v 'https://apps.castlepoint.gov.uk/cpapps/index.cfm?roadId=2757&fa=wastecalendar.displayDetails'
*   Trying 94.101.163.98:443...
* Connected to apps.castlepoint.gov.uk (94.101.163.98) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.2 (OUT), TLS alert, handshake failure (552):
* error:0A00018A:SSL routines::dh key too small
* Closing connection 0
curl: (35) error:0A00018A:SSL routines::dh key too small

So your options are:

1. Accept the insecure ciphers
2. Reject them and have a broken integration
3. Complain to the server maintainer about it

I'm not sure exactly how best to configure which ciphers are accepted, but the fact that this is almost certainly caused by the python 3.9 -> 3.10 upgrade should give you something more specific to guide your googling.