search

errbotio / errbot

Errbot is a chatbot, a daemon that connects to your favorite chat service and bring your tools and some fun into the conversation.
http://errbot.io
GNU General Public License v3.0
3.13k stars 615 forks source link

Invalid certificate trust chain error even with XMPP_CA_CERT_FILE set to None #1093

Closed dark4archon closed 7 years ago

dark4archon commented 7 years ago

In order to let us help you better, please fill out the following fields as best you can:

I am...

I am running...

Issue description

I cannot Errbot to connect to an OpenFire XMPP server. I have already set XMPP_CA_CERT_FILE to None in config.py. Yet, I still get a "Invalid certificate trust chain".

The SSL version defaults to ssl.PROTOCOL_TLSv1 in xmlstream.py. I have manually tried other values (ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3 , ssl.PROTOCOL_TLSv1_1, and ssl.PROTOCOL_TLSv1_2), but I get the same invalid certificate trust error. I was unable to set ssl.PROTOCOL_SSLv2 (object has no attribute error).

What am I missing? Thoughts and ideas welcome. Thanks!

09:26:09 DEBUG sleekxmpp.xmlstream.xmlst Connecting to 13.122.30.11:5222 09:26:09 DEBUG sleekxmpp.xmlstream.xmlst Event triggered: connected 09:26:09 DEBUG sleekxmpp.thirdparty.stat ==== TRANSITION disconnected -> connected 09:26:09 DEBUG sleekxmpp.xmlstream.xmlst Starting HANDLER THREAD 09:26:09 DEBUG sleekxmpp.xmlstream.xmlst Loading event runner 09:26:09 DEBUG sleekxmpp.xmlstream.xmlst SEND (IMMED): 09:26:09 DEBUG sleekxmpp.xmlstream.xmlst RECV: 09:26:09 DEBUG sleekxmpp.xmlstream.xmlst RECV: PLAINzlib</stream:features> 09:26:09 DEBUG sleekxmpp.xmlstream.xmlst SEND (IMMED): </starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls" /> 09:26:09 DEBUG sleekxmpp.xmlstream.xmlst RECV: </proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls" /> 09:26:09 DEBUG sleekxmpp.features.featur Starting TLS 09:26:09 INFO sleekxmpp.xmlstream.xmlst Negotiating TLS 09:26:09 INFO sleekxmpp.xmlstream.xmlst Using SSL version: TLS 1.0 09:26:09 ERROR sleekxmpp.xmlstream.xmlst CERT: Invalid certificate trust chain. 09:26:09 DEBUG sleekxmpp.xmlstream.xmlst Event triggered: session_end 09:26:09 DEBUG sleekxmpp.xmlstream.xmlst Event triggered: disconnected 09:26:09 INFO errbot.core Disconnect callback, deactivating all the plugins. 09:26:09 DEBUG sleekxmpp.thirdparty.stat ==== TRANSITION connected -> disconnected 09:26:09 ERROR sleekxmpp.xmlstream.xmlst Can not read from closed socket.

Steps to reproduce

errbot from the CLI.

Additional info

None.

zoni commented 7 years ago

Does the value False rather than None yield any different result?

bear commented 7 years ago

Hi, I'm one of the SleekXMPP maintainers -- is there a way for me to get a errbot setup to point to the Openfire server your testing against? That will help me figure out where the issue is without having to learn how to setup Openfire myself

thanks

sijis commented 7 years ago

As far as I know there isn't an openfire server we have. However, quickly poking around there seem to be some Docker containers that seem to help quickly bootstrapping an Openfire box. I've personally never used any of them.

bear commented 7 years ago

@sijis ah, I thought the bug submitter would have one they could point me at - the place where this error is happening is early enough in the XMPP auth handshake I can test against without having an account on it.

sijis commented 7 years ago

@bear Ah gotcha. My apologies there.

dark4archon commented 7 years ago

@zoni

Does the value False rather than None yield any different result?

Same result. Tried it with ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv23, and ssl.PROTOCOL_SSLv3,

I set this in config.py: XMPP_CA_CERT_FILE = False;

Using SSLv23:

13:18:40 DEBUG sleekxmpp.features.featur Starting TLS 13:18:40 INFO sleekxmpp.xmlstream.xmlst Negotiating TLS 13:18:40 INFO sleekxmpp.xmlstream.xmlst SSL field: 2 13:18:40 INFO sleekxmpp.xmlstream.xmlst Using SSL version: SSL 2/3 13:18:40 ERROR sleekxmpp.xmlstream.xmlst CERT: Invalid certificate trust chain. 13:18:40 DEBUG sleekxmpp.xmlstream.xmlst Event triggered: session_end 13:18:40 DEBUG sleekxmpp.xmlstream.xmlst Event triggered: disconnected

Using TLS 1.0

13:19:39 DEBUG sleekxmpp.features.featur Starting TLS 13:19:39 INFO sleekxmpp.xmlstream.xmlst Negotiating TLS 13:19:39 INFO sleekxmpp.xmlstream.xmlst SSL field: 3 13:19:39 INFO sleekxmpp.xmlstream.xmlst Using SSL version: TLS 1.0 13:19:39 ERROR sleekxmpp.xmlstream.xmlst CERT: Invalid certificate trust chain. 13:19:39 DEBUG sleekxmpp.xmlstream.xmlst Event triggered: session_end 13:19:39 DEBUG sleekxmpp.xmlstream.xmlst Event triggered: disconnected

dark4archon commented 7 years ago

@bear This Openfire server is behind a corporate firewall. However, I have full access to errbot and can set up any testing against this Openfire. Would this work?

dark4archon commented 7 years ago

Could this have anything to do with the missing ssl.PROTOCOL_SSLv2? If I set that value manually in xmlstream.py, I get the following error in errbot:

AttributeError: 'module' object has no attribute 'PROTOCOL_SSLv2' 13:47:53 ERROR errbot.bootstrap Unable to load or configure the backend. Traceback (most recent call last): File "/usr/local/lib/python3.4/dist-packages/errbot/bootstrap.py", line 135, in setup_bot bot = backendpm.get_plugin_by_name(backend_name) File "/usr/local/lib/python3.4/dist-packages/errbot/specific_plugin_manager.py", line 86, in get_plugin_by_name raise Exception('Error loading plugin %s:\nError:\n%s\n' % (name, formatted_error)) Exception: Error loading plugin XMPP: Error: <class 'AttributeError'>: File "/usr/local/lib/python3.4/dist-packages/yapsy/PluginManager.py", line 512, in loadPlugins plugin_info.plugin_object = self.instanciateElement(element) File "/usr/local/lib/python3.4/dist-packages/errbot/specific_plugin_manager.py", line 59, in instanciateElement return element(self._config) File "/usr/local/lib/python3.4/dist-packages/errbot/backends/xmpp.py", line 398, in init self.conn = self.create_connection() File "/usr/local/lib/python3.4/dist-packages/errbot/backends/xmpp.py", line 421, in create_connection bot=self File "/usr/local/lib/python3.4/dist-packages/errbot/backends/xmpp.py", line 316, in init self.client = ClientXMPP(jid, password, plugin_config={'feature_mechanisms': feature}) File "/usr/local/lib/python3.4/dist-packages/sleekxmpp/clientxmpp.py", line 70, in init BaseXMPP.init(self, jid, 'jabber:client', kwargs) File "/usr/local/lib/python3.4/dist-packages/sleekxmpp/basexmpp.py", line 59, in init XMLStream.init(self, kwargs) File "/usr/local/lib/python3.4/dist-packages/sleekxmpp/xmlstream/xmlstream.py", line 126, in init self.ssl_version = ssl.PROTOCOL_SSLv2

dark4archon commented 7 years ago

@bear I printed out the values from xmlstream.py right before the call to ssl.wrap_socket. It is hitting the except condition to print the invalid certificate error.

14:01:01 DEBUG sleekxmpp.features.featur Starting TLS 14:01:01 INFO sleekxmpp.xmlstream.xmlst Negotiating TLS 14:01:01 INFO sleekxmpp.xmlstream.xmlst Using SSL version: SSL 2/3 14:01:01 INFO sleekxmpp.xmlstream.xmlst self.ssl_version: 2 14:01:01 INFO sleekxmpp.xmlstream.xmlst self.certfile: None 14:01:01 INFO sleekxmpp.xmlstream.xmlst self.keyfile: None 14:01:01 INFO sleekxmpp.xmlstream.xmlst self.ca_certs: None 14:01:01 INFO sleekxmpp.xmlstream.xmlst cert_policy: 0 14:01:01 INFO sleekxmpp.xmlstream.xmlst do_handshake_on_connect: False 14:01:01 INFO sleekxmpp.xmlstream.xmlst self.socket: <socket.socket fd=9, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=0, laddr=('13.60.10.2', 49729), raddr=('13.122.30.11', 5222)> 14:01:01 ERROR sleekxmpp.xmlstream.xmlst CERT: Invalid certificate trust chain.

bear commented 7 years ago

it's possible - i'm going to get some sort of simple test code going that will then get my brain into the proper mood to debug the hell that is TLS. I should be able to get to this tomorrow to be honest.

dark4archon commented 7 years ago

@bear I added the following code after line 873 in xmlstream.py:

`           error_msg = "Could not connect to %s:%s. Socket Error #%s: %s"
            self.event('socket_error', serr, direct=True)
            log.error(error_msg, self.address[0], self.address[1],
                                 serr.errno, serr.strerror)`

Here is what showed up in the logs. Does this help?

21:37:38 ERROR sleekxmpp.xmlstream.xmlst Could not connect to 13.122.30.11:5222. Socket Error #1: [SSL: SSL_NEGATIVE_LENGTH] dh key too small (_ssl.c:600)

The python 3.4 documentation says that the SSLError is from the underlying SSL implementation. My OpenSSL version is 1.0.1f.

zoni commented 7 years ago

I suspect the server you're connecting to is using too small diffie hellman parameters (likely <1024 bit). Modern OpenSSL versions outright reject connecting to such servers.

dark4archon commented 7 years ago

@zoni Is there a way to skip the SSL/TLS to try a non-encrypted connection with this server? Curious to see what would happen.

I tested chatbot2 (PHP-based), and it connected immediately to the XMPP server and joined the chatroom. However, I would like to get errbot to work (much better feature set).

dark4archon commented 7 years ago

My current testing was against Openfire 3.6.3. I am trying to set up a newer Openfire, and will will post results.

dark4archon commented 7 years ago

I am going to close this issue. I found out that there were certificate issues on this Openfire 3.6.3 server. I will continue testing against Openfire 4.1 and open another issue if needed. Thank you everyone.

webji commented 5 years ago

@dark4archon Try set xmpp.auth.anonymous to true in openfire, which would ignore the TLS auth

squindahr commented 5 years ago

Found this on https://github.com/robertklep/nefit-easy-http-server/blob/master/README.md which works for me

The solution is mentioned here: edit the file /etc/ssl/openssl.cnf and change the following keys to these values:

MinProtocol = None CipherString = DEFAULT