EDR: CA_MD_TOO_WEAK Error Stops Communication to Alliance Server
search cancel

EDR: CA_MD_TOO_WEAK Error Stops Communication to Alliance Server

book

Article ID: 284957

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • Alliance Feeds are not updating.
  • Error below can be found in the /var/log/cb/allianceclient/allianceclient.log:
2022-02-07 00:00:54 [6003] <err> cb.alliance.comms - SSL Error encountered. Error usually caused by incorrect proxy username or password.
2022-02-07 00:00:54 [6003] <err> cb.alliance.client - Exception during main loop
...
ssl.SSLError: [SSL: CA_MD_TOO_WEAK] ca md too weak (_ssl.c:4044)
...
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='api.alliance.carbonblack.com', port=443): Max retries exceeded with url: /api/v2/reputation/module/meta (Caused by SSLError(SSLError(398, '[SSL: CA_MD_TOO_WEAK] ca md too weak (_ssl.c:4044)')))
  • Error in /var/log/messages:
Jan 30 07:01:07 edr-server dnf[567561]: Errors during downloading metadata for repository 'CarbonBlack':
Jan 30 07:01:07 edr-server dnf[567561]:  - Curl error (58): Problem with the local SSL certificate for https://yum.distro.carbonblack.io/enterprise/7.6.1-1/8/x86_64/repodata/repomd.xml [could not load PEM client certificate, OpenSSL error error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak, (no key found, wrong pass phrase, or wrong file format?)]
Jan 30 07:01:07 edr-server dnf[567561]: Error: Failed to download metadata for repo 'CarbonBlack': Cannot download repomd.xml: Curl error (58): Problem with the local SSL certificate for https://yum.distro.carbonblack.io/enterprise/7.6.1-1/8/x86_64/repodata/repomd.xml [could not load PEM client certificate, OpenSSL error error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak, (no key found, wrong pass phrase, or wrong file format?)]
Jan 30 07:01:07 edr-server systemd[1]: dnf-makecache.service: Main process exited, code=exited, status=1/FAILURE
Jan 30 07:01:07 edr-server systemd[1]: dnf-makecache.service: Failed with result 'exit-code'.
Jan 30 07:01:07 edr-server systemd[1]: Failed to start dnf makecache.

Environment

  • RHEL/CentOS: 8.x
  • EDR Server: All Supported Versions

Cause

  • A custom crypto-policy is set in the OS.

Resolution

  • Check the crypto-policies set for the instance.  In an root terminal, run the following command:
update-crypto-policies --show
  • If anything other than 'DEFAULT' comes back, check the file located at /etc/crypto-policies/back-ends/openssl.config:
cat /etc/crypto-policies/back-ends/openssl.config
  • This output looks like the output below.  If '-SHA256', as is the case of the output below, this is most likely the cause of the issue:
@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
  • The custom crypto-policies will need to allow SHA256 to communicate with Alliance.  The policy can be reverted to default by running the command below and rebooting the instance.  See links in 'Related Content' below for more information.
update-crypto-policies --set DEFAULT