Could not match certficate against hostname

aravinthu commented 8 years ago

i'm getting this log when i'm trying muc.py, my domain already have ssl cert.

DEBUG Event triggered: ssl_cert ERROR Could not match certficate against hostname: MYDOMIAN.COM DEBUG Event triggered: session_end DEBUG Event triggered: disconnected DEBUG ==== TRANSITION connected -> disconnected DEBUG SEND (IMMED): DEBUG Event triggered: socket_error WARNING Failed to send DEBUG Event triggered: session_end DEBUG Event triggered: socket_error DEBUG Event triggered: disconnected DEBUG ==== TRANSITION connected -> disconnected DEBUG Event triggered: socket_error ERROR Socket Error #9: Bad file descriptor

jdiemz commented 8 years ago

I ran into a similar thing the other week:

[2016-09-17 20:50:52,255] DEBUG [sleekxmpp.xmlstream.xmlstream.event():1173] Event triggered: ssl_cert
[2016-09-17 20:50:52,271] ERROR [sleekxmpp.xmlstream.xmlstream.start_tls():892] Could not match certificate against hostname: domain.com
[2016-09-17 20:50:52,271] DEBUG [sleekxmpp.xmlstream.xmlstream.event():1173] Event triggered: session_end
[2016-09-17 20:50:52,271] DEBUG [sleekxmpp.xmlstream.xmlstream.event():1173] Event triggered: disconnected
[2016-09-17 20:50:52,271] DEBUG [sleekxmpp.thirdparty.statemachine.transition_any():126]  ==== TRANSITION connected -> disconnected
[2016-09-17 20:50:52,271] DEBUG [sleekxmpp.xmlstream.xmlstream.send_raw():1320] SEND (IMMED): <stream:stream to='domain.com' xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' xml:lang='en' version='1.0'>
[2016-09-17 20:50:52,271] DEBUG [sleekxmpp.xmlstream.xmlstream.event():1173] Event triggered: socket_error
[2016-09-17 20:50:52,272] WARNING [sleekxmpp.xmlstream.xmlstream.send_raw():1353] Failed to send b"<stream:stream to='domain.com' xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' xml:lang='en' version='1.0'>"
[2016-09-17 20:50:52,272] DEBUG [sleekxmpp.xmlstream.xmlstream.event():1173] Event triggered: session_end
[2016-09-17 20:50:52,272] DEBUG [sleekxmpp.xmlstream.xmlstream.event():1173] Event triggered: socket_error
[2016-09-17 20:50:52,272] DEBUG [sleekxmpp.xmlstream.xmlstream.event():1173] Event triggered: disconnected
[2016-09-17 20:50:52,272] DEBUG [sleekxmpp.thirdparty.statemachine.transition_any():126]  ==== TRANSITION connected -> disconnected
[2016-09-17 20:50:52,272] DEBUG [sleekxmpp.xmlstream.xmlstream.event():1173] Event triggered: socket_error
[2016-09-17 20:50:52,272] ERROR [sleekxmpp.xmlstream.xmlstream._process():1507] Socket Error #9: Bad file descriptor

In my case the issue was my jabber IDs are of the form username@domain.com, my XMPP server lives at xmpp.domain.com, and my cert is only valid for xmpp.domain.com.

The validation code only matches the cert against the domain taken from the jabber ID. It doesn't consider that you might end up connecting to a different hostname by following the SRV records.

I haven't had time to attempt a patch, but I worked around it in my code by doing this:

xmpp._expected_server_name = 'xmpp.domain.com'
if xmpp.connect():
    LOG.debug("Connected to XMPP server.")
    xmpp.process(block=True)
else:
    LOG.critical("Unable to connect.  Shit.")

miu060502 commented 8 years ago

discard the ssl_invalid_cert event . sample code as followed

self.add_event_handler("ssl_invalid_cert", self.discard)

def discard(self, event, cert, direct):
    return

derek-austin commented 8 years ago

My workaround, no idea why it works.

The error:

DEBUG    Loaded Plugin: RFC 6120: Stream Feature: STARTTLS
DEBUG    Loaded Plugin: RFC 6120: Stream Feature: Resource Binding
DEBUG    Loaded Plugin: RFC 3920: Stream Feature: Start Session
DEBUG    Loaded Plugin: RFC 6121: Stream Feature: Roster Versioning
DEBUG    Loaded Plugin: RFC 6121: Stream Feature: Subscription Pre-Approval
DEBUG    Loaded Plugin: RFC 6120: Stream Feature: SASL
DEBUG    Loaded Plugin: XEP-0030: Service Discovery
DEBUG    Loaded Plugin: XEP-0199: XMPP Ping
DEBUG    DNS: Querying jabberd.mydomain.local for AAAA records.
DEBUG    DNS: No AAAA records for jabberd.mydomain.local
DEBUG    DNS: Querying jabberd.mydomain.local for A records.
DEBUG    Connecting to 10.10.10.102:5222
DEBUG    Event triggered: connected
DEBUG     ==== TRANSITION disconnected -> connected
DEBUG    Starting HANDLER THREAD
DEBUG    Loading event runner
DEBUG    SEND (IMMED): <stream:stream to='mydomain.local' xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' xml:lang='en' version='1.0'>
DEBUG    RECV: <stream:stream version="1.0" from="mydomain.local" xml:lang="en" id="3153573524">
DEBUG    RECV: <stream:features xmlns="http://etherx.jabber.org/streams"><c xmlns="http://jabber.org/protocol/caps" ver="CN+Bi/nPDdZXEFPfLRlpdSZ6Bpw=" node="http://www.process-one.net/en/ejabberd/" hash="sha-1" /><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required /></starttls></stream:features>
DEBUG    SEND (IMMED): <starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required /></starttls>
DEBUG    RECV: <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls" />
DEBUG    Starting TLS
INFO     Negotiating TLS
INFO     Using SSL version: TLS 1.0
DEBUG    CERT: -----BEGIN CERTIFICATE-----
MIIG....
-----END CERTIFICATE-----

DEBUG    Event triggered: ssl_cert
ERROR    Could not match certficate against hostname: mydomain.local
DEBUG    Event triggered: session_end
DEBUG    Event triggered: disconnected
DEBUG     ==== TRANSITION connected -> disconnected
DEBUG    SEND (IMMED): <stream:stream to='mydomain.local' xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' xml:lang='en' version='1.0'>
DEBUG    Event triggered: socket_error
WARNING  Failed to send b"<stream:stream to='mydomain.local' xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' xml:lang='en' version='1.0'>"
DEBUG    Event triggered: session_end
DEBUG    Event triggered: socket_error
DEBUG    Event triggered: disconnected
DEBUG     ==== TRANSITION connected -> disconnected

DNS seems to be OK:

$ dig @my_dns.mydomain.local. _xmpp-server._tcp.mydomain.local. any +short
0 0 5269 jabberd.mydomain.local.

The workaround, works in one PC of three (!?!?):

pip uninstall pyasn1

Artiom-M commented 7 years ago

pyasn1 is used to validat certificates. So uninstalling it will disable verification. I run into the same issue and problem is in this file https://github.com/fritzy/SleekXMPP/blob/develop/sleekxmpp/xmlstream/cert.py extract_names function for some reason is not extracting DNS or CN records. I checked with openssl x509 -in certificate.crt -text -noout and records are there. When I put a simple print in this file I get this:

{'DNS': set(), 'CN': {'my-hostname'}, 'SRV': set(), 'XMPPAddr': set(), 'URI': set()}

Which is all wrong, as my-hostname is locally defined hostname.

LennyLip commented 7 years ago

+1 same thing with jabbim.com

tried:

self.add_event_handler("ssl_invalid_cert", self.discard)

in init:
def discard(self, event):
    return

also, I tried to change ssl/tsl versions, no success

mdavids commented 6 years ago

Upgraded to Ubuntu 18.04 tonight and now seem to run in the same problem. CN is no longer extracted from the cert.

{'XMPPAddr': set([]), 'SRV': set([]), 'CN': set([]), 'DNS': set([]), 'URI': set([])}

So the "xmpp._expected_server_name" trick does no longer work.

Package: python-sleekxmpp 1.3.3-3 python-pyasn1 0.4.2-3 python-pyasn1-modules 0.2.1-0.2

Neustradamus commented 6 years ago

Have you tested 1.3.2?

Neustradamus commented 5 years ago

@aravinthu @jdiemz @miu060502 @derek-austin @Artiom-M @LennyLip @mdavids: Any news?

Have you tested with "master"?

https://github.com/fritzy/SleekXMPP/commits/develop

It works?

Artiom-M commented 5 years ago

I've switched to matrix.

fritzy / SleekXMPP

Could not match certficate against hostname #423