#2883 closed defect (fixed)
SSL Server Validation not working
Reported by: | Mark Harkin | Owned by: | Antoine Martin |
---|---|---|---|
Priority: | major | Milestone: | 4.1 |
Component: | client | Version: | 3.0.x |
Keywords: | Cc: |
Description
Probably something I haven't configured correctly but on trunk I can't get the python clients ssl server validation to work against a ca file (xpra2-full attached)
Server ssl termination is on a traefik2 reverse proxy but don't think that should make a difference here.
xpra -d ssl attach wss://xpra.cr8dev.com:443 --ssl-ca-cert=/home/mjha/Desktop/xpra2-full 2020-09-22 16:05:28,419 Xpra GTK3 X11 client version 4.1 64-bit 2020-09-22 16:05:28,525 running on Linux Ubuntu 20.04 focal 2020-09-22 16:05:28,526 window manager is 'GNOME Shell' 2020-09-22 16:05:29,913 GStreamer version 1.16.2 for Python 3.8.2 64-bit 2020-09-22 16:05:30,021 created unix domain socket '/run/user/1000/xpra/clients/threadripper-261321' 2020-09-22 16:05:30,083 No OpenGL_accelerate module loaded: No module named 'OpenGL_accelerate' 2020-09-22 16:05:30,333 OpenGL enabled with GeForce GT 1030/PCIe/SSE2 2020-09-22 16:05:30,411 get_ssl_wrap_socket_fn('', '', '/home/mjha/Desktop/xpra2-full', '', 'TLSv1_2', 'optional', 'required', 'X509_STRICT', False, 'localhost', 'ALL,NO_COMPRESSION', 'DEFAULT', False) 2020-09-22 16:05:30,412 verify_mode(False)=required 2020-09-22 16:05:30,412 ca_certs=/home/mjha/Desktop/xpra2-full 2020-09-22 16:05:30,412 cert_reqs=0x2 2020-09-22 16:05:30,412 protocol=0x5 2020-09-22 16:05:30,412 cadata= 2020-09-22 16:05:30,412 verify_flags=0x20 2020-09-22 16:05:30,412 options=0x80020054 2020-09-22 16:05:30,413 cert=, key= 2020-09-22 16:05:30,413 check_hostname=False 2020-09-22 16:05:30,413 load_default_certs(Purpose.SERVER_AUTH) 2020-09-22 16:05:30,413 loading ca certs from file '/home/mjha/Desktop/xpra2-full' 2020-09-22 16:05:30,413 do_wrap_socket(<socket.socket fd=27, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=0, laddr=('192.168.1.30', 47774), raddr=('192.168.1.30', 443)>) 2020-09-22 16:05:30,417 do_handshake Traceback (most recent call last): File "/usr/local/lib/python3.8/dist-packages/xpra/net/socket_util.py", line 890, in do_wrap_socket ssl_sock.do_handshake(True) File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake self._sslobj.do_handshake() ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108) 2020-09-22 16:05:30,418 Warning: failed to connect: 2020-09-22 16:05:30,418 SSL handshake failed: unable to get local issuer certificate (_ssl.c:1108
But seems to work with openssl
mjha@threadripper:~$ openssl s_client -connect xpra.cr8dev.com:443 -CAfile /home/mjha/Desktop/xpra2-full -x509_strict CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = xpra.cr8dev.com verify return:1 --- Certificate chain 0 s:CN = xpra.cr8dev.com i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 i:O = Digital Signature Trust Co., CN = DST Root CA X3 --- Server certificate -----BEGIN CERTIFICATE----- MIIFVjCCBD6gAwIBAgISBMZbtSCY6aMIm8xIkxbumxBVMA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA5MTMwNjE0MDhaFw0y MDEyMTIwNjE0MDhaMBoxGDAWBgNVBAMTD3hwcmEuY3I4ZGV2LmNvbTCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJxT4zGXjBgFzIh+SFq/MJvz9qlGPxH1 efrhebNVBARPXOLfycf2YFJ+2hwnvcZW2Gav9qZ1Fx4H+o44yVFc45fUisGJoLkh 9jOniBytPmu6kO2HJxWGOWlebAEKnBCKpqFukXWRLL9QQeu5S7YvMExvNYARKFSr lK219zzCgdT4FwylqiPvCL2qwKrs7OatvSINGxQG8fniBNJyI8tiKkJQPeug3tem 7AauqOp55N6f7G3NcmtSUYmj80lBTpu+6VcVIuHEy8fCUTcokmZtSPaY3GaUDA1o WqAI1OfFRkKKdgFHomDlvYUVUfiwBprisopVuTyPD57ndF4IqQzaBIMCAwEAAaOC AmQwggJgMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB BQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUERZUiMv/3Xlp7LnKbwM8sYq8 Jb8wHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEE YzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQu b3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQu b3JnLzAaBgNVHREEEzARgg94cHJhLmNyOGRldi5jb20wTAYDVR0gBEUwQzAIBgZn gQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5s ZXRzZW5jcnlwdC5vcmcwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdQDnEvKwN34a YvuOyQxhhPHqezfLVh0RJlvz4PNL8kFUbgAAAXSGUGHgAAAEAwBGMEQCIBoGK9Lp ADzcr5pgbbiE9N6wlmULCdGEQYqWH3PQ1LDuAiB6vFCK7AFQG0ZRog6lurWATEBV pKclQulwGBvlbOI/zAB3AAe3XBvlfWj/8bDGHSMVx7rmV3xXlLdq7rxhOhpp06Ic AAABdIZQYewAAAQDAEgwRgIhAIEYEv5wcaoa0r/xFwInMteKOpM4nfj+lxYTdG4f +b7JAiEApXfehPLvnQw26qn08ug7Q2nWIl0HdnodHMXyZE1m1dMwDQYJKoZIhvcN AQELBQADggEBAGodcGQ+xz3fvlBBuxv93zhoE8ex66gY07T5dULTkNH46JorPW+l MV8GSS2N9YDlNzVYmQIxKzac5XpOGcbiAMML5p2wQUm9nsVhSMIgjmE3ZYpBGrU6 TxPSat0sqbzJjb4wxXbnxFjIPMOHQVs8wp8ByP/P2RaaYaKXxkhp9B3mCong0kYl rWH4YZb/lZT996lIm9nvgxFohfMxKoTk2UXJkgZZtVORBi5ptfoWJoFSl5Bk32Xv MsLZMh7L6IvqL80lT9gDa7VDYhRfTRSa3UvU1SeoeszCae7RnhzVRkKLwTSEUYRB /pU4CsYNKAH7cqfGiAayqAad3AxWJuAtMbk= -----END CERTIFICATE----- subject=CN = xpra.cr8dev.com issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 3105 bytes and written 397 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 6019BD1527AC08EC44880E59BF42C3765DA9C828064EEBE9660F5394DBFCD35C Session-ID-ctx: Resumption PSK: CC9B1712A9DE99E3ED369AC45CD2465A07F4DE93F2603D66B40E18AA3D7C935A91ACB350EDB371D2834B7B85BBAB9061 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 604800 (seconds) TLS session ticket: 0000 - 14 27 f1 7b 93 ef 56 c3-69 76 57 96 e1 41 c2 22 .'.{..V.ivW..A." 0010 - dd 5a 3a 27 75 f8 ab b8-a7 3b af 56 48 1f b5 3d .Z:'u....;.VH..= 0020 - 3f af ae 77 01 a5 07 e1-12 cb d8 93 fe 1e 07 4d ?..w...........M 0030 - df 49 28 9e 1b b3 a0 b5-ec 40 a4 86 f8 45 e3 d4 .I(......@...E.. 0040 - 98 db 7d a1 a4 55 c2 4a-f7 94 0d 13 b7 8f 6e 43 ..}..U.J......nC 0050 - 01 48 66 57 93 d0 53 a4-97 25 25 78 fc 55 19 c5 .HfW..S..%%x.U.. 0060 - 9b a3 68 ea e9 bc ef 25-ae 33 c8 42 f9 0f 77 f2 ..h....%.3.B..w. 0070 - 42 aa 60 97 27 53 fa ac-55 38 35 77 09 90 c2 d2 B.`.'S..U85w.... 0080 - 05 . Start Time: 1600783459 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 ---
Attachments (1)
Change History (7)
Changed 4 months ago by
Attachment: | xpra2-full added |
---|
comment:1 Changed 4 months ago by
comment:2 follow-up: 4 Changed 4 months ago by
Resolution: | → fixed |
---|---|
Status: | new → closed |
comment:4 Changed 4 months ago by
Replying to Antoine Martin:
Fixed in r27561.
Nice, working thanks. It still requires --ssl-check-hostname=True
Is it possible to change this (without breaking the default self-signed connection)?
comment:5 Changed 4 months ago by
Nice, working thanks. It still requires --ssl-check-hostname=True
Is it possible to change this (without breaking the default self-signed connection)?
This is likely to break some setups, but since those aren't very secure to begin with... why not change it: r27568.
(I probably won't backport this though - or maybe for 3.1.x later)
Managed to work around this by setting ssl-server-hostname explicitly
So will leave it up to you, if you think ssl-server-hostname should be inferred from the connection properties by default, otherwise this can be closed.