Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sslv3 alert bad certificate #1069

Open
pidario opened this issue May 18, 2023 · 5 comments · May be fixed by #1070
Open

sslv3 alert bad certificate #1069

pidario opened this issue May 18, 2023 · 5 comments · May be fixed by #1070

Comments

@pidario
Copy link

pidario commented May 18, 2023

Context:
OS: Arch
vdirsyncer v0.19.x
python v3.11.3

This applies to vdirsyncer (v0.19.0 and v0.19.1) installed from either pipx, pip or community arch repository.

I use xandikos server behind a reverse proxy. I use mutual TLS authentication, the configuration is the following:

[general]
status_path = "/path/to/vdirsyncer/status/"

[pair contacts]
a = "contacts_local"
b = "contacts_remote"
collections = ["from a", "from b"]

[storage contacts_local]
type = "filesystem"
path = "/path/to/contacts/"
fileext = ".vcf"

[storage contacts_remote]
type = "carddav"
url = "https://mydavserver"
auth_cert = ["/path/to/cert.pem", "/path/to/key.pem"]
verify = "/etc/ssl/cert.pem"

This started to happen after python 3.11 update:
whenever I try to launch vdirsyncer discover I get the following error:
error: Unknown error occurred: [Errno 1] [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:2576)

It looks like vdirsyncer is not using the client certificate and key because if I manually add in this if block this line of code:

ssl.load_cert_chain(*self._settings["cert"])

the error is gone.

On a side note, I also had to add the line verify = "/etc/ssl/cert.pem" to my configuration, which I didn't have before. If I omit it, I get that same error from before. Maybe there was a change in the python module ecosystem that stopped the modules from using OS certificates bundle?

Downgrading to v0.18.0 fixes both issues.

Any idea what might have gone wrong with the upgrade to 0.19?
Thanks in advance.
WhyNotHugo added a commit that referenced this issue May 18, 2023
@WhyNotHugo
Fix client certificate support
537bbd9 
Fixes: #1069
@WhyNotHugo WhyNotHugo linked a pull request May 18, 2023 that will close this issue
Open
@WhyNotHugo
Copy link
Member

Not sure why CI is failing; longintrepr.h is part of the python package on Arch.

@pidario
Copy link
Author

pidario commented May 18, 2023

It is indeed part of python package on Arch. I don't know how to help you here.
Anyway, mine is a dirty trick that I found out by playing around with aiohttp, I'm not sure that would be good for the whole project. The failing CI is a clear indicator that I'm right. If I knew that was the optimal fix I would have opened a PR myself.
The only sure thing I can say is that by introducing aiohttp (if I'm not mistaken in v0.18.0 it wasn't there) broke something but I'm sure there is a better approach to fix this issue.

@WhyNotHugo
Copy link
Member

Your approach doesn't seem to break anything (at least not on some limited testing that I did locally). I wanted to get CI to run to make sure it doesn't break a any other test scenarios, but the CI failure is entirely unrelated.

@WhyNotHugo
Copy link
Member

The only sure thing I can say is that by introducing aiohttp (if I'm not mistaken in v0.18.0 it wasn't there) broke something but I'm sure there is a better approach to fix this issue.

Yeah, some of the TLS bits had to be re-written and I think some less common features were left out (like client certs).

@pidario
Copy link
Author

pidario commented May 18, 2023

Thanks for the explanation. Hope you'll figure this out soon! Let me know if I can be of any help.

WhyNotHugo added a commit that referenced this issue Aug 8, 2023
@WhyNotHugo
Fix client certificate support
35c5d49 
Fixes: #1069
WhyNotHugo added a commit that referenced this issue Sep 24, 2023
@WhyNotHugo
Fix client certificate support
a09a5a4 
Fixes: #1069
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix client certificate support pimutils/vdirsyncer
2 participants
@WhyNotHugo @pidario