#2883 closed defect (fixed)
SSL Server Validation not working
| Reported by: | Mark Harkin | Owned by: | Antoine Martin |
|---|---|---|---|
| Priority: | major | Milestone: | 4.1 |
| Component: | client | Version: | 3.0.x |
| Keywords: | Cc: |
Description
Probably something I haven't configured correctly but on trunk I can't get the python clients ssl server validation to work against a ca file (xpra2-full attached)
Server ssl termination is on a traefik2 reverse proxy but don't think that should make a difference here.
xpra -d ssl attach wss://xpra.cr8dev.com:443 --ssl-ca-cert=/home/mjha/Desktop/xpra2-full
2020-09-22 16:05:28,419 Xpra GTK3 X11 client version 4.1 64-bit
2020-09-22 16:05:28,525 running on Linux Ubuntu 20.04 focal
2020-09-22 16:05:28,526 window manager is 'GNOME Shell'
2020-09-22 16:05:29,913 GStreamer version 1.16.2 for Python 3.8.2 64-bit
2020-09-22 16:05:30,021 created unix domain socket '/run/user/1000/xpra/clients/threadripper-261321'
2020-09-22 16:05:30,083 No OpenGL_accelerate module loaded: No module named 'OpenGL_accelerate'
2020-09-22 16:05:30,333 OpenGL enabled with GeForce GT 1030/PCIe/SSE2
2020-09-22 16:05:30,411 get_ssl_wrap_socket_fn('', '', '/home/mjha/Desktop/xpra2-full', '', 'TLSv1_2', 'optional', 'required', 'X509_STRICT', False, 'localhost', 'ALL,NO_COMPRESSION', 'DEFAULT', False)
2020-09-22 16:05:30,412 verify_mode(False)=required
2020-09-22 16:05:30,412 ca_certs=/home/mjha/Desktop/xpra2-full
2020-09-22 16:05:30,412 cert_reqs=0x2
2020-09-22 16:05:30,412 protocol=0x5
2020-09-22 16:05:30,412 cadata=
2020-09-22 16:05:30,412 verify_flags=0x20
2020-09-22 16:05:30,412 options=0x80020054
2020-09-22 16:05:30,413 cert=, key=
2020-09-22 16:05:30,413 check_hostname=False
2020-09-22 16:05:30,413 load_default_certs(Purpose.SERVER_AUTH)
2020-09-22 16:05:30,413 loading ca certs from file '/home/mjha/Desktop/xpra2-full'
2020-09-22 16:05:30,413 do_wrap_socket(<socket.socket fd=27, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=0, laddr=('192.168.1.30', 47774), raddr=('192.168.1.30', 443)>)
2020-09-22 16:05:30,417 do_handshake
Traceback (most recent call last):
File "/usr/local/lib/python3.8/dist-packages/xpra/net/socket_util.py", line 890, in do_wrap_socket
ssl_sock.do_handshake(True)
File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)
2020-09-22 16:05:30,418 Warning: failed to connect:
2020-09-22 16:05:30,418 SSL handshake failed: unable to get local issuer certificate (_ssl.c:1108
But seems to work with openssl
mjha@threadripper:~$ openssl s_client -connect xpra.cr8dev.com:443 -CAfile /home/mjha/Desktop/xpra2-full -x509_strict
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = xpra.cr8dev.com
verify return:1
---
Certificate chain
0 s:CN = xpra.cr8dev.com
i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFVjCCBD6gAwIBAgISBMZbtSCY6aMIm8xIkxbumxBVMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA5MTMwNjE0MDhaFw0y
MDEyMTIwNjE0MDhaMBoxGDAWBgNVBAMTD3hwcmEuY3I4ZGV2LmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJxT4zGXjBgFzIh+SFq/MJvz9qlGPxH1
efrhebNVBARPXOLfycf2YFJ+2hwnvcZW2Gav9qZ1Fx4H+o44yVFc45fUisGJoLkh
9jOniBytPmu6kO2HJxWGOWlebAEKnBCKpqFukXWRLL9QQeu5S7YvMExvNYARKFSr
lK219zzCgdT4FwylqiPvCL2qwKrs7OatvSINGxQG8fniBNJyI8tiKkJQPeug3tem
7AauqOp55N6f7G3NcmtSUYmj80lBTpu+6VcVIuHEy8fCUTcokmZtSPaY3GaUDA1o
WqAI1OfFRkKKdgFHomDlvYUVUfiwBprisopVuTyPD57ndF4IqQzaBIMCAwEAAaOC
AmQwggJgMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUERZUiMv/3Xlp7LnKbwM8sYq8
Jb8wHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEE
YzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQu
b3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQu
b3JnLzAaBgNVHREEEzARgg94cHJhLmNyOGRldi5jb20wTAYDVR0gBEUwQzAIBgZn
gQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5s
ZXRzZW5jcnlwdC5vcmcwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdQDnEvKwN34a
YvuOyQxhhPHqezfLVh0RJlvz4PNL8kFUbgAAAXSGUGHgAAAEAwBGMEQCIBoGK9Lp
ADzcr5pgbbiE9N6wlmULCdGEQYqWH3PQ1LDuAiB6vFCK7AFQG0ZRog6lurWATEBV
pKclQulwGBvlbOI/zAB3AAe3XBvlfWj/8bDGHSMVx7rmV3xXlLdq7rxhOhpp06Ic
AAABdIZQYewAAAQDAEgwRgIhAIEYEv5wcaoa0r/xFwInMteKOpM4nfj+lxYTdG4f
+b7JAiEApXfehPLvnQw26qn08ug7Q2nWIl0HdnodHMXyZE1m1dMwDQYJKoZIhvcN
AQELBQADggEBAGodcGQ+xz3fvlBBuxv93zhoE8ex66gY07T5dULTkNH46JorPW+l
MV8GSS2N9YDlNzVYmQIxKzac5XpOGcbiAMML5p2wQUm9nsVhSMIgjmE3ZYpBGrU6
TxPSat0sqbzJjb4wxXbnxFjIPMOHQVs8wp8ByP/P2RaaYaKXxkhp9B3mCong0kYl
rWH4YZb/lZT996lIm9nvgxFohfMxKoTk2UXJkgZZtVORBi5ptfoWJoFSl5Bk32Xv
MsLZMh7L6IvqL80lT9gDa7VDYhRfTRSa3UvU1SeoeszCae7RnhzVRkKLwTSEUYRB
/pU4CsYNKAH7cqfGiAayqAad3AxWJuAtMbk=
-----END CERTIFICATE-----
subject=CN = xpra.cr8dev.com
issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3105 bytes and written 397 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 6019BD1527AC08EC44880E59BF42C3765DA9C828064EEBE9660F5394DBFCD35C
Session-ID-ctx:
Resumption PSK: CC9B1712A9DE99E3ED369AC45CD2465A07F4DE93F2603D66B40E18AA3D7C935A91ACB350EDB371D2834B7B85BBAB9061
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 604800 (seconds)
TLS session ticket:
0000 - 14 27 f1 7b 93 ef 56 c3-69 76 57 96 e1 41 c2 22 .'.{..V.ivW..A."
0010 - dd 5a 3a 27 75 f8 ab b8-a7 3b af 56 48 1f b5 3d .Z:'u....;.VH..=
0020 - 3f af ae 77 01 a5 07 e1-12 cb d8 93 fe 1e 07 4d ?..w...........M
0030 - df 49 28 9e 1b b3 a0 b5-ec 40 a4 86 f8 45 e3 d4 .I(......@...E..
0040 - 98 db 7d a1 a4 55 c2 4a-f7 94 0d 13 b7 8f 6e 43 ..}..U.J......nC
0050 - 01 48 66 57 93 d0 53 a4-97 25 25 78 fc 55 19 c5 .HfW..S..%%x.U..
0060 - 9b a3 68 ea e9 bc ef 25-ae 33 c8 42 f9 0f 77 f2 ..h....%.3.B..w.
0070 - 42 aa 60 97 27 53 fa ac-55 38 35 77 09 90 c2 d2 B.`.'S..U85w....
0080 - 05 .
Start Time: 1600783459
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
Attachments (1)
Change History (8)
Changed 7 months ago by
| Attachment: | xpra2-full added |
|---|
comment:1 Changed 7 months ago by
comment:2 follow-up: 4 Changed 7 months ago by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
comment:4 Changed 7 months ago by
Replying to Antoine Martin:
Fixed in r27561.
Nice, working thanks. It still requires --ssl-check-hostname=True
Is it possible to change this (without breaking the default self-signed connection)?
comment:5 Changed 7 months ago by
Nice, working thanks. It still requires --ssl-check-hostname=True
Is it possible to change this (without breaking the default self-signed connection)?
This is likely to break some setups, but since those aren't very secure to begin with... why not change it: r27568.
(I probably won't backport this though - or maybe for 3.1.x later)
comment:7 Changed 3 months ago by
this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/2883
Note: See
TracTickets for help on using
tickets.
copyleft 2010 - 2021
Managed to work around this by setting ssl-server-hostname explicitly
So will leave it up to you, if you think ssl-server-hostname should be inferred from the connection properties by default, otherwise this can be closed.