search

home-assistant / core

:house_with_garden: Open source home automation that puts local control and privacy first.
https://www.home-assistant.io
Apache License 2.0
72.67k stars 30.42k forks source link

XMPP/Jabber validate flag does not work #104323

Closed sophipl closed 4 months ago

sophipl commented 11 months ago

The problem

I'm using Jabber for HomeAssistant notification

This is my config for this part

notify:
  - name: "HomeJabber"
    platform: xmpp
    sender: HomeAssistant@homepi
    password: PASSWORD_GOES_HERE
    tls: true
    verify: false
    recipient:
      - sophi@homepi

I have clients connected that accepted self signed certificates just fine. When I at first disabled the validation, the integration worked fine, but some client didn't want to connect to the server without encryption. When I try to use the notification now I get

2023-11-21 17:28:48.588 ERROR (MainThread) [slixmpp.xmlstream.xmlstream] CERT: Invalid certificate trust chain.
2023-11-21 17:28:48.589 INFO (MainThread) [slixmpp.xmlstream.xmlstream] connection_lost: (SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1006)'),)
2023-11-21 17:28:51.979 ERROR (MainThread) [homeassistant] Error doing job: Task was destroyed but it is pending!

I briefly looked in the code and I see https://github.com/home-assistant/core/blob/dece6c80426488e831d34941b3b43e0a9de08ca0/homeassistant/components/xmpp/notify.py#L156

And make me think should ssl_invalid_chain event be used/handled as well https://codeberg.org/poezio/slixmpp/src/branch/master/slixmpp/xmlstream/xmlstream.py#L846

That said, it feels to me that the SSLError is assumed to be related to trust chain.

What version of Home Assistant Core has the issue?

core-2023.9.1

What was the last working version of Home Assistant Core?

No response

What type of installation are you running?

Home Assistant Container

Integration causing the issue

Jabber (XMPP)

Link to integration documentation on our website

https://www.home-assistant.io/integrations/xmpp

Diagnostics information

No response

Example YAML snippet

No response

Anything in the logs that might be useful for us?

No response

Additional information

No response

home-assistant[bot] commented 11 months ago

Hey there @fabaff, @flowolf, mind taking a look at this issue as it has been labeled with an integration (xmpp) you are listed as a code owner for? Thanks!

Code owner commands Code owners of `xmpp` can trigger bot actions by commenting: - `@home-assistant close` Closes the issue. - `@home-assistant rename Awesome new title` Renames the issue. - `@home-assistant reopen` Reopen the issue. - `@home-assistant unassign xmpp` Removes the current integration label and assignees on the issue, add the integration domain after the command. - `@home-assistant add-label needs-more-information` Add a label (needs-more-information, problem in dependency, problem in custom component) to the issue. - `@home-assistant remove-label needs-more-information` Remove a label (needs-more-information, problem in dependency, problem in custom component) on the issue.

(message by CodeOwnersMention)

xmpp documentation xmpp source (message by IssueLinks)

sophipl commented 11 months ago

There is a workaround I found, is to add certificate to /etc/ssl/certs/ca-certificates.crt in the container And adding ssl_invalid_chain handler doesn't prevent disconnection when I used the library myself using example program.

issue-triage-workflows[bot] commented 8 months ago

There hasn't been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates. Please make sure to update to the latest Home Assistant version and check if that solves the issue. Let us know if that works for you by adding a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thank you for your contributions.

flowolf commented 8 months ago

I guess the workaround is fine.

Not validating the cert is something that should be avoided anyhow, so I guess we can leave this as is.

flowolf commented 8 months ago

@home-assistant close

sophipl commented 8 months ago

PS, self signed certificates are good thing. If you don't expose your services to the internet, it's good option to have encrypted transfer.

issue-triage-workflows[bot] commented 5 months ago

There hasn't been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates. Please make sure to update to the latest Home Assistant version and check if that solves the issue. Let us know if that works for you by adding a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thank you for your contributions.