Sling Academy
Home/Python/Fixing Python requests.exceptions.SSLError: dh key too small

Fixing Python requests.exceptions.SSLError: dh key too small

Last updated: January 02, 2024

Overview

When working with the requests library in Python to make HTTPS requests, a common issue that programmers may encounter is the requests.exceptions.SSLError: dh key too small error. This error is related to the encryption mechanisms used in establishing a secure connection and typically occurs due to the server’s Diffie-Hellman key being below an acceptable size for strong encryption by today’s standards.

Understanding the reasons behind this error leads to a better approach toward solving it. This guide outlines some solutions to this issue, including steps to implement them and their respective pros and cons.

Solution 1: Update the Server’s Cryptography Settings

The most secure and direct approach to fixing this error is by updating the server’s cryptographic settings. This involves increasing the size of the Diffie-Hellman key used for establishing the secure connection to a size that’s considered safe by modern encryption standards.

Here are the steps to follow:

  1. Access the server that is hosting the application.
  2. Update the server’s SSL/TLS configuration to use a larger Diffie-Hellman key (ideally 2048 bits or more).
  3. Restart the server to apply the changes.

Advantages:

  • Increases the security of the server.
  • Solves the issue for all clients accessing the server.

Limitations:

  • Requires server access and administrative privileges.
  • Not possible if using a third-party service.

Solution 2: Downgrade OpenSSL Security Level

Another method is to downgrade the level of security that OpenSSL enforces. This solution involves lowering the security level in OpenSSL to permit smaller Diffie-Hellman keys.

Here’s the process:

  • Open the OpenSSL configuration file (usually found at /etc/ssl/openssl.cnf).
  • Locate the MinProtocol or CipherString directives (depending on the version of OpenSSL).
  • Adjust the security level to a lower setting that allows for smaller key sizes (e.g., change to ‘SECLEVEL=1’ in the CipherString section).
  • Save the changes and restart any services using OpenSSL.

Advantages:

  • Quick fix that does not necessarily require server access.
  • Useful when the server cannot be configured immediately.

Limitations:

  • Reduces the overall security level of OpenSSL.
  • May expose the system to vulnerabilities.

Solution 3: Changing Python Requests SSL Version

Adjusting the SSL version used by Python requests can also be a workaround. By specifying a different SSL version when making the request, one may bypass the dh key size check. However, this should be done with caution as it may introduce security risks.

Below are the main points:

  • Install the PyOpenSSL, ndg-httpsclient, and pyasn1 modules.
  • Import the required SSL context from OpenSSL in your Python script.
  • Configure the context to use a different SSL version (e.g., TLSv1).
  • Pass the SSL context to the requests library when making a call.

Eample:

from requests.packages.urllib3.contrib.pyopenssl import inject_into_urllib3, extract_from_urllib3
import urllib3
import requests

# Inject PyOpenSSL into urllib3
inject_into_urllib3()

# Set up an SSL context
from OpenSSL import SSL
ctx = SSL.Context(SSL.TLSv1_2_METHOD)

# Remove PyOpenSSL injection
extract_from_urllib3()

# Make a request with the custom context
response = requests.get('https://some-website.com', verify=ctx)
print(response.text)

Advantages:

  • Does not require server modifications.
  • Allows the client to override the default SSL settings.

Limitations:

  • Can introduce serious security risks by downgrading the SSL protocol.
  • Not a long-term solution.
  • Needs additional dependencies.

This guide should help programmers understand and navigate around the dh key too small error in Python, assessing the best solution for their circumstances and considering both security and practicality.

Next Article: How to Fix SSL InsecurePlatform Error in Python Requests

Previous Article: Fixing Python Requests Error: No Connection Adapters

Series: Python: Network & JSON tutorials

Python

You May Also Like

  • Python Warning: Secure coding is not enabled for restorable state
  • Python TypeError: write() argument must be str, not bytes
  • 4 ways to install Python modules on Windows without admin rights
  • Python TypeError: object of type ‘NoneType’ has no len()
  • Python: How to access command-line arguments (3 approaches)
  • Understanding ‘Never’ type in Python 3.11+ (5 examples)
  • Python: 3 Ways to Retrieve City/Country from IP Address
  • Using Type Aliases in Python: A Practical Guide (with Examples)
  • Python: Defining distinct types using NewType class
  • Using Optional Type in Python (explained with examples)
  • Python: How to Override Methods in Classes
  • Python: Define Generic Types for Lists of Nested Dictionaries
  • Python: Defining type for a list that can contain both numbers and strings
  • Using TypeGuard in Python (Python 3.10+)
  • Python: Using ‘NoReturn’ type with functions
  • Type Casting in Python: The Ultimate Guide (with Examples)
  • Python: Using type hints with class methods and properties
  • Python: Typing a function with default parameters
  • Python: Typing a function that can return multiple types