Skip to main content

Dear Forum,



When running BoxAPI through an internal proxy,


I am having trouble because [EE certificate key too weak] SSLError has occurred.


Internal proxy information is set in Python-BoxSDK,


Skipping certificate validation will prevent SSLError from occurring.



Please let me know the cause of the above problem and how to resolve it.


My personal opinion is that the security strength of the certificate sent from the internal proxy is too weak.



【SSL Error】


requests.exceptions.SSLError: HTTPSConnectionPool(host=‘api.box.com’, port=443): Max retries exceeded with url: /oauth2/token (Caused by SSLError(SSLCertVerificationError(1, ‘rSSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: EE certificate key too weak (_ssl.c:997)’)))

Hi @user164 , welcome to the forum!



That is certainly a possibility. I would also check what version of TLS your proxy is using.



See this article.







Can you test without using the proxy?



Best I can do is open a support ticket for you, perhaps the support folks can help you diagnose the issue.



Let us know



Best regards


Thank you for your reply.


The internal proxy’s TLS was 1.2.


I think there is no problem with 1.2, what do you think?



For tests without the internal proxy, you cannot access the Internet from within your company without going through a internal proxy.


The API will work if executed on a network different from the internal network.



If you have any opinions, please let us know


Thank you for your support.


Hi,



If your proxy is using TLS 1.2 then it is ok, only 1.1 was deprecated.



It all points to the internal certificate of your proxy.



Check with your IT team. Make sure it has been issued by a trusted certificate authority, and it is a valid certificate.



At this point I’m not sure how I can help further.



Best regards


Thank you for your opinion, it is very helpful.


I used wireshark to check the certificate sent by my internal proxy.


The length of the certificate was 775 bytes, and the encryption method was sha256WithRSAEncryption. Also, the length of the public key was 201 bytes, and it was EC Diffie-Hellman Server Params.



In my opinion, the cause is that the public key length is not long enough for opnessl’s security level 2.


Please let us know what you think of everyone.


Thank you for your support.


Reply