With the latest git version it is not possible to use both auth_cert and verify_fingerprint.
If you try to do that, you will get this error:
Syncing calendar
debug: ====================
[cut]
debug: Sending request...
error: Unknown error occurred for calendar: 'Fingerprint' object has no attribute 'load_cert_chain'
error: Use `-vdebug` to see the full traceback.
[cut]
debug: File "/usr/lib/python3/dist-packages/vdirsyncer/http.py", line 134, in request
debug: ssl_context.load_cert_chain(*cert)
debug: ^^^^^^^^^^^^^^^^^^^^^^^^^^^
When verify_fingerprint is specified, ssl_context is the return value of
In my understanding, this is the correct way of doing fingerprint pinning using aiohttp, unfortunately the Fingerprint object doesn't have load_cert_chain method.
This is a limitation of aiohttp and there is already an issue that tracks it: https://github.com/aio-libs/aiohttp/issues/3679
Until that issue is resolved, it is possible to make vdirsyncer work by monkey-patching session._connector._make_ssl_context (I can create a PR if this approach is acceptable).
There is a more general security problem when using fingerprint pinning and client certs together in Python: the fingerprint will be checked only after the client cert verification already happened. This problem can't be fixed neither in vdirsyncer nor in aiohttp.
With the latest git version it is not possible to use both
auth_cert
andverify_fingerprint
. If you try to do that, you will get this error:When
verify_fingerprint
is specified,ssl_context
is the return value ofhttps://github.com/pimutils/vdirsyncer/blob/d1f93ea0becfa4966ef73c05ec6bc75b2bdf42bf/vdirsyncer/http.py#L83
In my understanding, this is the correct way of doing fingerprint pinning using
aiohttp
, unfortunately theFingerprint
object doesn't haveload_cert_chain
method. This is a limitation ofaiohttp
and there is already an issue that tracks it: https://github.com/aio-libs/aiohttp/issues/3679Until that issue is resolved, it is possible to make vdirsyncer work by monkey-patching
session._connector._make_ssl_context
(I can create a PR if this approach is acceptable).There is a more general security problem when using fingerprint pinning and client certs together in Python: the fingerprint will be checked only after the client cert verification already happened. This problem can't be fixed neither in vdirsyncer nor in aiohttp.