Bug#864257: marked as done (python3-sleekxmpp: TLS certificate verification fails)

Sat, 10 Feb 2018 17:16:00 -0800 

Your message dated Sun, 11 Feb 2018 00:51:37 +0000
with message-id <e1ekfrl-0001rd...@fasolo.debian.org>
and subject line Bug#864257: fixed in sleekxmpp 1.3.3-2
has caused the Debian Bug report #864257,
regarding python3-sleekxmpp: TLS certificate verification fails
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
864257: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864257
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: python3-sleekxmpp
Version: 1.3.1-6
Severity: normal

Dear Maintainer,

I have been using painintheapt on several systems running jessie,
jessie-backports, and stretch.  For quite some time the hosts running
jessie-backports and stretch have been failing to execute painintheapt,
in fact there's an infinite loop.  Today I decided to investigate the
problem and discovered a bug in sleekxmpp.

I tweaked a copy of the painintheapt script to enable debug logging
which produced the following output, with reconnection attempts repeated
indefinitely:

  DEBUG    Waiting 2.072999311351683 seconds before connecting.
  DEBUG    DNS: Querying SRV records for unzane.com
  DEBUG    DNS: Querying jabber.unzane.com for AAAA records.
  DEBUG    DNS: Querying jabber.unzane.com for A records.
  DEBUG    Connecting to [2001:470:e861:4::2]:5222
  DEBUG    Event triggered: connected
  DEBUG     ==== TRANSITION disconnected -> connected
  DEBUG    Starting HANDLER THREAD
  DEBUG    Loading event runner
  DEBUG    SEND (IMMED): <stream:stream to='unzane.com' 
xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' 
xml:lang='en' version='1.0'>
  DEBUG    RECV: <stream:stream id="15762184421087048225" version="1.0" 
from="unzane.com" xml:lang="en">
  DEBUG    RECV: <stream:features xmlns="http://etherx.jabber.org/streams";><c 
xmlns="http://jabber.org/protocol/caps"; 
node="http://www.process-one.net/en/ejabberd/"; hash="sha-1" 
ver="N+nCub6oxVjIxxoREHOeJv4wQNU=" /><starttls 
xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required /></starttls><compression 
xmlns="http://jabber.org/features/compress";><method>zlib</method></compression></stream:features>
  DEBUG    SEND (IMMED): <starttls 
xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required /></starttls>
  DEBUG    RECV: <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls" />
  DEBUG    Starting TLS
  INFO     Negotiating TLS
  INFO     Using SSL version: TLSv1
  DEBUG    CERT: -----BEGIN CERTIFICATE-----
  MIIGdjCCBF6gAwIBAgIEALIrzTANBgkqhkiG9w0BAQsFADBdMTgwNgYDVQQDEy9V
  bnphbmUgSW50ZXJtZWRpYXRlIENlcnRpZmljYXRlIEF1dGhvcml0eSAoUlNBKTEh
  MB8GA1UECgwY8J+GhPCfhb3wn4aJ8J+FsPCfhb3wn4W0MCIYDzIwMTQwNDA3MTcy
  NzAwWhgPMjAzODAxMTkwMzE0MDdaMCIxIDAeBgNVBAMTF255YXJsYXRob3RlcC51
  bnphbmUuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo/IzfzDD
  EHc1NO/EzOGT8+l8Uqiu2ZLt89gohrxgohijWRFLJCJHoD8Q9NgVhYRXPQMzWxC1
  hzZfps8UDGUeDfgfEbW2NdvXRElSUexgcb4pqIJlQEUQ7qe22mETMqYwu7jSgswz
  Rg7LQqbNRQRKYQRbAezhGe/reHm8mhKoV6guz7XPBHGxJMvWxgiwfNXFZJ3tlp7W
  Qu0zz/f/CZKS+Y5QqfAcwyfbnD/jV4ekixi/utt77Qq3AhxbZmW6TuoKuGiD9JBA
  +51XFbI3Xkf5yokfZaj7cVGes+ntZMNmDOXyuHnf1zsUYfDentWqwclMdjPO6hu4
  oagzy245PlsAiRgdFqrngrimTmKn+Ab/uaMq/y+XU5e1wnBP1WgWynFmfIw3fXhI
  gRjrrnM2tcLshS0Tmwf8NAUivKS+yf5wEdFdXmAWwjaOqIm4Co7PxCb722X4MaR4
  0y9whFDVFl87wv2C21n0yPRqnsk6CViSA1NqFk7IEiYF/VrQRZ5wtZor4ImzLyNM
  gfaI7WrkbnRn5isSZZn3CIKkSelcVADPAq0XuLqAcY4pr3ttt3DJd9bgYRsKq9ZQ
  f408fRlLmVbxYh2sl15p8uowClHTxng7wnuMt+kCVL8TACXiohnF7TrvOL+/5zjz
  jzgCgC8NfHnhnCyY/jlOOqnOewS44Dx7o4UCAwEAAaOCAXMwggFvMAwGA1UdEwEB
  /wQCMAAwJwYDVR0lBCAwHgYIKwYBBQUHAwIGCCsGAQUFBwMBBggrBgEFBQcDETCB
  owYDVR0RBIGbMIGYghdueWFybGF0aG90ZXAudW56YW5lLmNvbYIKdW56YW5lLmNv
  bYIRamFiYmVyLnVuemFuZS5jb22CEyouamFiYmVyLnVuemFuZS5jb22CEHdlYXZl
  LnVuemFuZS5jb22CD3NvZ28udW56YW5lLmNvbYITZnVuYW1ib2wudW56YW5lLmNv
  bYIRbXVtYmxlLnVuemFuZS5jb20wDwYDVR0PAQH/BAUDAwegADAdBgNVHQ4EFgQU
  2aIsO1Rktllh9KaeS6LqBYp2A+cwHwYDVR0jBBgwFoAUuz3o+9sxu31sw58Q19zU
  HVuefiUwPwYDVR0fBDgwNjA0oDKgMIYuaHR0cHM6Ly93d3cudW56YW5lLmNvbS94
  NTA5L3Jldm9jYXRpb24tcnNhLnBlbTANBgkqhkiG9w0BAQsFAAOCAgEAmGKimuSw
  xMtIomsygb0U1qoui5h2pkhI5UnPMAFvUm5bMwkSHgrMhyC31P2XI1zA9FovtTxV
  Olm8RrdPV0wJ/tgfBHLZ6a8DpuEYhD+1llrQ81RowcfQHYsdKs2SHuChe85hJiVz
  IpZZXDXKsiyKnrvtOPETitWI+KhYcEDChO/kwoL3jG6ffKhjrkNDXO4iuiwTJidN
  CHNmkKWKwN1ywXmuopt5eD6x/QMPjs45GPL7WU5FtHcdjDHPcWv4xl4yXj/O2HBy
  RgoshWLdxOisP7Cy+BT6IM9PwqqNF657ke7nsdZr/BA2AdXlcwObGixLqLMcz6On
  IGR8RfenmcZVBWrZnMOPuv9snJZzPWmbYGl/v0Tk+L72WhJa4/22TnjJWRmq4Daq
  DLOZYQtsV/FPHM+Q+Je9amR7CXZx/j+s97ZVQEaj5Y6bqgQoTL36L2LtKlUo2tI2
  y4FjGiMdI+bqOqfe1TOV6F4NoepDoAtT6DUvH/rdB2GV8MKe8YPaimhJe62L9gzx
  LkuFv4uPO+qhzP8MN9tbB3F6jyHYJI7d0sn2WFzFIBlbNkaI3oYvxevpugEkLP1t
  KgeGGXolMxYz8S9rNTr9aSSYjLVsdOsTOMS6h0nvFIF/EhvWOqIDAXkj+v9TIwyH
  j3shn0Jwh8RgTYLNHNyD36+MO6p5imiVODg=
  -----END CERTIFICATE-----

  DEBUG    Event triggered: ssl_cert
  ERROR    time data '20140407172700Z' does not match format '%y%m%d%H%M%SZ'
  Traceback (most recent call last):
    File "/usr/lib/python3/dist-packages/sleekxmpp/xmlstream/xmlstream.py", 
line 1492, in _process
      if not self.__read_xml():
    File "/usr/lib/python3/dist-packages/sleekxmpp/xmlstream/xmlstream.py", 
line 1564, in __read_xml
      self.__spawn_event(xml)
    File "/usr/lib/python3/dist-packages/sleekxmpp/xmlstream/xmlstream.py", 
line 1632, in __spawn_event
      handler.prerun(stanza_copy)
    File 
"/usr/lib/python3/dist-packages/sleekxmpp/xmlstream/handler/callback.py", line 
64, in prerun
      self.run(payload, True)
    File 
"/usr/lib/python3/dist-packages/sleekxmpp/xmlstream/handler/callback.py", line 
76, in run
      self._pointer(payload)
    File 
"/usr/lib/python3/dist-packages/sleekxmpp/features/feature_starttls/starttls.py",
 line 64, in _handle_starttls_proceed
      if self.xmpp.start_tls():
    File "/usr/lib/python3/dist-packages/sleekxmpp/xmlstream/xmlstream.py", 
line 889, in start_tls
      cert.verify(self._expected_server_name, self._der_cert)
    File "/usr/lib/python3/dist-packages/sleekxmpp/xmlstream/cert.py", line 
141, in verify
      not_before, not_after = extract_dates(raw_cert)
    File "/usr/lib/python3/dist-packages/sleekxmpp/xmlstream/cert.py", line 
118, in extract_dates
      not_before = datetime.strptime(not_before, '%y%m%d%H%M%SZ')
    File "/usr/lib/python3.5/_strptime.py", line 510, in _strptime_datetime
      tt, fraction = _strptime(data_string, format)
    File "/usr/lib/python3.5/_strptime.py", line 343, in _strptime
      (data_string, format))
  ValueError: time data '20140407172700Z' does not match format '%y%m%d%H%M%SZ'
  DEBUG    reconnecting...
  DEBUG    Event triggered: session_end
  DEBUG    SEND (IMMED): </stream:stream>
  INFO     Waiting for </stream:stream> from server
  DEBUG    Event triggered: disconnected
  DEBUG     ==== TRANSITION connected -> disconnected
  DEBUG    connecting...
  DEBUG    Waiting 2.238069225097097 seconds before connecting.
  ...

The "ValueError: time data '20140407172700Z' does not match format
'%y%m%d%H%M%SZ'" exception shows that sleekxmpp is expecting a two digit year
rather than a four digit year.

Further inspection of the extract_dates function in xmlstream/cert.py reveals
some programming mistakes:

  def extract_dates(raw_cert):
      if not HAVE_PYASN1:
          log.warning("Could not find pyasn1 and pyasn1_modules. " + \
                      "SSL certificate expiration COULD NOT BE VERIFIED.")
          return None, None

      cert = decoder.decode(raw_cert, asn1Spec=Certificate())[0]
      tbs = cert.getComponentByName('tbsCertificate')
      validity = tbs.getComponentByName('validity')

      not_before = validity.getComponentByName('notBefore')
①     not_before = str(not_before.getComponent())

      not_after = validity.getComponentByName('notAfter')
①     not_after = str(not_after.getComponent())

②     if isinstance(not_before, GeneralizedTime):
          not_before = datetime.strptime(not_before, '%Y%m%d%H%M%SZ')
      else:
③         not_before = datetime.strptime(not_before, '%y%m%d%H%M%SZ')

②     if isinstance(not_after, GeneralizedTime):
          not_after = datetime.strptime(not_after, '%Y%m%d%H%M%SZ')
      else:
③         not_after = datetime.strptime(not_after, '%y%m%d%H%M%SZ')

      return not_before, not_after

At ①, the use of str() causes the isinstance() test at ② always be False
resulting in strptime() calls at ③ which use %y instead of %Y and throw
ValueError.

It looks like this was for some compatibility with ancient versions of
pyasn1.

-- System Information:
Debian Release: 9.0
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (50, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set 
to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages python3-sleekxmpp depends on:
ii  python3                 3.5.3-1
ii  python3-dnspython       1.15.0-1
ii  python3-pyasn1          0.1.9-2
ii  python3-pyasn1-modules  0.0.7-0.1

Versions of packages python3-sleekxmpp recommends:
ii  python3-dateutil  2.5.3-2
ii  python3-gnupg     0.3.9-1
ii  python3-socks     1.6.5-1

python3-sleekxmpp suggests no packages.

-- no debconf information

-- 
Gerald Turner <gtur...@unzane.com>        Encrypted mail preferred!
OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80  3858 EC94 2276 FDB8 716D

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Source: sleekxmpp
Source-Version: 1.3.3-2

We believe that the bug you reported is fixed in the latest version of
sleekxmpp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 864...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
W. Martin Borgert <deba...@debian.org> (supplier of updated sleekxmpp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 11 Feb 2018 00:10:45 +0000
Source: sleekxmpp
Binary: python-sleekxmpp python3-sleekxmpp
Architecture: source all
Version: 1.3.3-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team 
<python-modules-t...@lists.alioth.debian.org>
Changed-By: W. Martin Borgert <deba...@debian.org>
Description:
 python-sleekxmpp - Python XMPP (Jabber) Library Implementing Everything as a 
Plugin
 python3-sleekxmpp - Python XMPP (Jabber) Library Implementing Everything as a 
Plugin
Closes: 864257
Changes:
 sleekxmpp (1.3.3-2) unstable; urgency=medium
 .
   * fixes TLS date handling for both two digit and four digit yearx
     (Closes: #864257 again)
   * fixes compatibility issues with pyasn1 >= 0.4.1
     (would need to removed for backport)
   * add examples
   * add sphinx docs
Checksums-Sha1:
 ed27dc9460665c6b9de400c698e22496930f501b 2246 sleekxmpp_1.3.3-2.dsc
 1415a8c9503e19f5a262743dd97e0d6f2d8f9329 22132 sleekxmpp_1.3.3-2.debian.tar.xz
 a95e1c93e07f83481d3355323d8032f4684e8e88 902760 
python-sleekxmpp_1.3.3-2_all.deb
 7c64d062932ab503c5ec8a146e89c7725656bad2 902832 
python3-sleekxmpp_1.3.3-2_all.deb
 54f197cb2055cf41960d8472e8aeb9a4e764ad35 8470 sleekxmpp_1.3.3-2_amd64.buildinfo
Checksums-Sha256:
 0320cecc2a087d92557ebc6dd3edeaba641bcc7e92f65c6b3edc598038b7d94d 2246 
sleekxmpp_1.3.3-2.dsc
 5926242d31df5a21334dfc6f3614cc7c4417c2ac3084ce3813d62b74984a7398 22132 
sleekxmpp_1.3.3-2.debian.tar.xz
 dae1358ba9142cf74b961f418832419dabbb11c622fafe5ab0b8cc5de0fd52c6 902760 
python-sleekxmpp_1.3.3-2_all.deb
 edf13f2a5d2947f81cbc73356189de81d81060459f10a83295b0fcc72e22945e 902832 
python3-sleekxmpp_1.3.3-2_all.deb
 3db7404383f23304b1f4b08a50bfa824acc36bdd9e405719433c617043b6887d 8470 
sleekxmpp_1.3.3-2_amd64.buildinfo
Files:
 cecf5f2cc94ceef0226e96b3f60fed7c 2246 python optional sleekxmpp_1.3.3-2.dsc
 a1f0ebdda1ab9338c1976a4d6d95e553 22132 python optional 
sleekxmpp_1.3.3-2.debian.tar.xz
 41828d6a312385ccbeae57384a31fc34 902760 python optional 
python-sleekxmpp_1.3.3-2_all.deb
 b41a7ad394fe830629a22db3bf7bfaf3 902832 python optional 
python3-sleekxmpp_1.3.3-2_all.deb
 7ce9b2b4181e46acab707412a273be07 8470 python optional 
sleekxmpp_1.3.3-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEftHeo0XZoKEY1KdA4+Chwoa5Y+oFAlp/jxoACgkQ4+Chwoa5
Y+rHBRAAkIgcFQz6NkyVQ6GnTDX2AK7UxtyZe9ey0QBeVqYkjq4Ya7w99n6pespF
M0b2qnS+VJHrU1cbhJ0ebLhlNTZKIaDoqaxAq9oqwnEyIVf+9OE+QBX5z7NNAnnV
LytZusF9SBZDV255g1KuFlUuo4TDDBShl+jNXAjM1aOjFUTBsEjYcunAb2viDAaN
/0f4w1jW7g/vdOJdVetMaPgvkq+d6pel7LmBbjeTG5bTbFf5ldVrzok/v+IY/UDk
Z8NArumJLh7XmJOIBQpkzKiGQIRRuQW9CEFh2DOwocyqIcrr58vxf/P9IZydsFyx
rVSEvgJIfHpWDyYbsK+G//BZ/ZNJzwsSaZa1iyj7kB/gobB5Wl6duOahQt84Eq7P
rRe0s0K9BcuPxubeIjSlW3QKckTETKyHVRzHyiHcdMD0ocgH6OoKAL0+AaMloz8n
insZ9zQA+W0N7UJ7G2JyGhJTgme7m1pZX/W0W8L52W3RU8AZ46FEJsvJS2sztKKV
yhQyv4ebYcTjMsashEix0XYrizR9lxfUR3fcKNffovnCfe/VxoHuXm56eG4Wa1b8
pDvUFB0+SN2r9ZL1lTA+//ZZ7H4bA0PwbI5puxB+2NYOGRbY1vZ34YB3Wz/5LPuM
7sBI5Kf5xJGymOSHJDTiNYBQ2BvZQcvgBHxjylLOxWNtHSH/puw=
=5Iwi
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to