search

jasonrbriggs / stomp.py

“stomp.py” is a Python client library for accessing messaging servers (such as ActiveMQ or RabbitMQ) using the STOMP protocol (versions 1.0, 1.1 and 1.2). It can also be run as a standalone, command-line client for testing.
Apache License 2.0
495 stars 167 forks source link

Latest v8.0.0 release has a breaking change. get_server_certificate occasionally throws SSLV3_ALERT_BAD_CERTIFICATE #375

Closed maksim36ua closed 2 years ago

maksim36ua commented 2 years ago

Hi, recently I've discovered that our external connection stopped working with some environments.

We do have an integration with an app, that has dev, stage and prod. For some reason, dev connection is working fine, but the other two started to throw an exception while checking server cert:

[SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:1129)

After some debugging, I've discovered that the source of the issue is ssl.get_server_certificate((host, port)). Server certs are valid. Located here: https://github.com/jasonrbriggs/stomp.py/blob/dev/stomp/transport.py#L764

Reverting the stomp version back to v7.0.0 (without server cert check) fixed the issue.

P.S: I'll try to provide some additional details, but for now it might be useful for anyone, who'll face the same issue

mikebonnet commented 2 years ago

I've seen this as well. It appears to be related to servers that are configured to require client authentication. ssl.get_server_certificate() makes a new connection to the server without using the client certs provided in Connection.set_ssl(), and this can result in the error above (which basically indicates a missing client cert). I believe #380 should resolve the issue.

jasonrbriggs commented 2 years ago

Merged the MR, thanks.