Your message dated Sun, 11 Feb 2018 00:51:37 +0000
with message-id <[email protected]>
and subject line Bug#864257: fixed in sleekxmpp 1.3.3-2
has caused the Debian Bug report #864257,
regarding python3-sleekxmpp: TLS certificate verification fails
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
864257: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864257
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python3-sleekxmpp
Version: 1.3.1-6
Severity: normal
Dear Maintainer,
I have been using painintheapt on several systems running jessie,
jessie-backports, and stretch. For quite some time the hosts running
jessie-backports and stretch have been failing to execute painintheapt,
in fact there's an infinite loop. Today I decided to investigate the
problem and discovered a bug in sleekxmpp.
I tweaked a copy of the painintheapt script to enable debug logging
which produced the following output, with reconnection attempts repeated
indefinitely:
DEBUG Waiting 2.072999311351683 seconds before connecting.
DEBUG DNS: Querying SRV records for unzane.com
DEBUG DNS: Querying jabber.unzane.com for AAAA records.
DEBUG DNS: Querying jabber.unzane.com for A records.
DEBUG Connecting to [2001:470:e861:4::2]:5222
DEBUG Event triggered: connected
DEBUG ==== TRANSITION disconnected -> connected
DEBUG Starting HANDLER THREAD
DEBUG Loading event runner
DEBUG SEND (IMMED): <stream:stream to='unzane.com'
xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client'
xml:lang='en' version='1.0'>
DEBUG RECV: <stream:stream id="15762184421087048225" version="1.0"
from="unzane.com" xml:lang="en">
DEBUG RECV: <stream:features xmlns="http://etherx.jabber.org/streams";><c
xmlns="http://jabber.org/protocol/caps";
node="http://www.process-one.net/en/ejabberd/"; hash="sha-1"
ver="N+nCub6oxVjIxxoREHOeJv4wQNU=" /><starttls
xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required /></starttls><compression
xmlns="http://jabber.org/features/compress";><method>zlib</method></compression></stream:features>
DEBUG SEND (IMMED): <starttls
xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required /></starttls>
DEBUG RECV: <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls" />
DEBUG Starting TLS
INFO Negotiating TLS
INFO Using SSL version: TLSv1
DEBUG CERT: -----BEGIN CERTIFICATE-----
MIIGdjCCBF6gAwIBAgIEALIrzTANBgkqhkiG9w0BAQsFADBdMTgwNgYDVQQDEy9V
bnphbmUgSW50ZXJtZWRpYXRlIENlcnRpZmljYXRlIEF1dGhvcml0eSAoUlNBKTEh
MB8GA1UECgwY8J+GhPCfhb3wn4aJ8J+FsPCfhb3wn4W0MCIYDzIwMTQwNDA3MTcy
NzAwWhgPMjAzODAxMTkwMzE0MDdaMCIxIDAeBgNVBAMTF255YXJsYXRob3RlcC51
bnphbmUuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo/IzfzDD
EHc1NO/EzOGT8+l8Uqiu2ZLt89gohrxgohijWRFLJCJHoD8Q9NgVhYRXPQMzWxC1
hzZfps8UDGUeDfgfEbW2NdvXRElSUexgcb4pqIJlQEUQ7qe22mETMqYwu7jSgswz
Rg7LQqbNRQRKYQRbAezhGe/reHm8mhKoV6guz7XPBHGxJMvWxgiwfNXFZJ3tlp7W
Qu0zz/f/CZKS+Y5QqfAcwyfbnD/jV4ekixi/utt77Qq3AhxbZmW6TuoKuGiD9JBA
+51XFbI3Xkf5yokfZaj7cVGes+ntZMNmDOXyuHnf1zsUYfDentWqwclMdjPO6hu4
oagzy245PlsAiRgdFqrngrimTmKn+Ab/uaMq/y+XU5e1wnBP1WgWynFmfIw3fXhI
gRjrrnM2tcLshS0Tmwf8NAUivKS+yf5wEdFdXmAWwjaOqIm4Co7PxCb722X4MaR4
0y9whFDVFl87wv2C21n0yPRqnsk6CViSA1NqFk7IEiYF/VrQRZ5wtZor4ImzLyNM
gfaI7WrkbnRn5isSZZn3CIKkSelcVADPAq0XuLqAcY4pr3ttt3DJd9bgYRsKq9ZQ
f408fRlLmVbxYh2sl15p8uowClHTxng7wnuMt+kCVL8TACXiohnF7TrvOL+/5zjz
jzgCgC8NfHnhnCyY/jlOOqnOewS44Dx7o4UCAwEAAaOCAXMwggFvMAwGA1UdEwEB
/wQCMAAwJwYDVR0lBCAwHgYIKwYBBQUHAwIGCCsGAQUFBwMBBggrBgEFBQcDETCB
owYDVR0RBIGbMIGYghdueWFybGF0aG90ZXAudW56YW5lLmNvbYIKdW56YW5lLmNv
bYIRamFiYmVyLnVuemFuZS5jb22CEyouamFiYmVyLnVuemFuZS5jb22CEHdlYXZl
LnVuemFuZS5jb22CD3NvZ28udW56YW5lLmNvbYITZnVuYW1ib2wudW56YW5lLmNv
bYIRbXVtYmxlLnVuemFuZS5jb20wDwYDVR0PAQH/BAUDAwegADAdBgNVHQ4EFgQU
2aIsO1Rktllh9KaeS6LqBYp2A+cwHwYDVR0jBBgwFoAUuz3o+9sxu31sw58Q19zU
HVuefiUwPwYDVR0fBDgwNjA0oDKgMIYuaHR0cHM6Ly93d3cudW56YW5lLmNvbS94
NTA5L3Jldm9jYXRpb24tcnNhLnBlbTANBgkqhkiG9w0BAQsFAAOCAgEAmGKimuSw
xMtIomsygb0U1qoui5h2pkhI5UnPMAFvUm5bMwkSHgrMhyC31P2XI1zA9FovtTxV
Olm8RrdPV0wJ/tgfBHLZ6a8DpuEYhD+1llrQ81RowcfQHYsdKs2SHuChe85hJiVz
IpZZXDXKsiyKnrvtOPETitWI+KhYcEDChO/kwoL3jG6ffKhjrkNDXO4iuiwTJidN
CHNmkKWKwN1ywXmuopt5eD6x/QMPjs45GPL7WU5FtHcdjDHPcWv4xl4yXj/O2HBy
RgoshWLdxOisP7Cy+BT6IM9PwqqNF657ke7nsdZr/BA2AdXlcwObGixLqLMcz6On
IGR8RfenmcZVBWrZnMOPuv9snJZzPWmbYGl/v0Tk+L72WhJa4/22TnjJWRmq4Daq
DLOZYQtsV/FPHM+Q+Je9amR7CXZx/j+s97ZVQEaj5Y6bqgQoTL36L2LtKlUo2tI2
y4FjGiMdI+bqOqfe1TOV6F4NoepDoAtT6DUvH/rdB2GV8MKe8YPaimhJe62L9gzx
LkuFv4uPO+qhzP8MN9tbB3F6jyHYJI7d0sn2WFzFIBlbNkaI3oYvxevpugEkLP1t
KgeGGXolMxYz8S9rNTr9aSSYjLVsdOsTOMS6h0nvFIF/EhvWOqIDAXkj+v9TIwyH
j3shn0Jwh8RgTYLNHNyD36+MO6p5imiVODg=
-----END CERTIFICATE-----
DEBUG Event triggered: ssl_cert
ERROR time data '20140407172700Z' does not match format '%y%m%d%H%M%SZ'
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/sleekxmpp/xmlstream/xmlstream.py",
line 1492, in _process
if not self.__read_xml():
File "/usr/lib/python3/dist-packages/sleekxmpp/xmlstream/xmlstream.py",
line 1564, in __read_xml
self.__spawn_event(xml)
File "/usr/lib/python3/dist-packages/sleekxmpp/xmlstream/xmlstream.py",
line 1632, in __spawn_event
handler.prerun(stanza_copy)
File
"/usr/lib/python3/dist-packages/sleekxmpp/xmlstream/handler/callback.py", line
64, in prerun
self.run(payload, True)
File
"/usr/lib/python3/dist-packages/sleekxmpp/xmlstream/handler/callback.py", line
76, in run
self._pointer(payload)
File
"/usr/lib/python3/dist-packages/sleekxmpp/features/feature_starttls/starttls.py",
line 64, in _handle_starttls_proceed
if self.xmpp.start_tls():
File "/usr/lib/python3/dist-packages/sleekxmpp/xmlstream/xmlstream.py",
line 889, in start_tls
cert.verify(self._expected_server_name, self._der_cert)
File "/usr/lib/python3/dist-packages/sleekxmpp/xmlstream/cert.py", line
141, in verify
not_before, not_after = extract_dates(raw_cert)
File "/usr/lib/python3/dist-packages/sleekxmpp/xmlstream/cert.py", line
118, in extract_dates
not_before = datetime.strptime(not_before, '%y%m%d%H%M%SZ')
File "/usr/lib/python3.5/_strptime.py", line 510, in _strptime_datetime
tt, fraction = _strptime(data_string, format)
File "/usr/lib/python3.5/_strptime.py", line 343, in _strptime
(data_string, format))
ValueError: time data '20140407172700Z' does not match format '%y%m%d%H%M%SZ'
DEBUG reconnecting...
DEBUG Event triggered: session_end
DEBUG SEND (IMMED): </stream:stream>
INFO Waiting for </stream:stream> from server
DEBUG Event triggered: disconnected
DEBUG ==== TRANSITION connected -> disconnected
DEBUG connecting...
DEBUG Waiting 2.238069225097097 seconds before connecting.
...
The "ValueError: time data '20140407172700Z' does not match format
'%y%m%d%H%M%SZ'" exception shows that sleekxmpp is expecting a two digit year
rather than a four digit year.
Further inspection of the extract_dates function in xmlstream/cert.py reveals
some programming mistakes:
def extract_dates(raw_cert):
if not HAVE_PYASN1:
log.warning("Could not find pyasn1 and pyasn1_modules. " + \
"SSL certificate expiration COULD NOT BE VERIFIED.")
return None, None
cert = decoder.decode(raw_cert, asn1Spec=Certificate())[0]
tbs = cert.getComponentByName('tbsCertificate')
validity = tbs.getComponentByName('validity')
not_before = validity.getComponentByName('notBefore')
① not_before = str(not_before.getComponent())
not_after = validity.getComponentByName('notAfter')
① not_after = str(not_after.getComponent())
② if isinstance(not_before, GeneralizedTime):
not_before = datetime.strptime(not_before, '%Y%m%d%H%M%SZ')
else:
③ not_before = datetime.strptime(not_before, '%y%m%d%H%M%SZ')
② if isinstance(not_after, GeneralizedTime):
not_after = datetime.strptime(not_after, '%Y%m%d%H%M%SZ')
else:
③ not_after = datetime.strptime(not_after, '%y%m%d%H%M%SZ')
return not_before, not_after
At ①, the use of str() causes the isinstance() test at ② always be False
resulting in strptime() calls at ③ which use %y instead of %Y and throw
ValueError.
It looks like this was for some compatibility with ancient versions of
pyasn1.
-- System Information:
Debian Release: 9.0
APT prefers testing-debug
APT policy: (500, 'testing-debug'), (500, 'testing'), (50, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set
to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages python3-sleekxmpp depends on:
ii python3 3.5.3-1
ii python3-dnspython 1.15.0-1
ii python3-pyasn1 0.1.9-2
ii python3-pyasn1-modules 0.0.7-0.1
Versions of packages python3-sleekxmpp recommends:
ii python3-dateutil 2.5.3-2
ii python3-gnupg 0.3.9-1
ii python3-socks 1.6.5-1
python3-sleekxmpp suggests no packages.
-- no debconf information
--
Gerald Turner <[email protected]> Encrypted mail preferred!
OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: sleekxmpp
Source-Version: 1.3.3-2
We believe that the bug you reported is fixed in the latest version of
sleekxmpp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
W. Martin Borgert <[email protected]> (supplier of updated sleekxmpp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 11 Feb 2018 00:10:45 +0000
Source: sleekxmpp
Binary: python-sleekxmpp python3-sleekxmpp
Architecture: source all
Version: 1.3.3-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team
<[email protected]>
Changed-By: W. Martin Borgert <[email protected]>
Description:
python-sleekxmpp - Python XMPP (Jabber) Library Implementing Everything as a
Plugin
python3-sleekxmpp - Python XMPP (Jabber) Library Implementing Everything as a
Plugin
Closes: 864257
Changes:
sleekxmpp (1.3.3-2) unstable; urgency=medium
.
* fixes TLS date handling for both two digit and four digit yearx
(Closes: #864257 again)
* fixes compatibility issues with pyasn1 >= 0.4.1
(would need to removed for backport)
* add examples
* add sphinx docs
Checksums-Sha1:
ed27dc9460665c6b9de400c698e22496930f501b 2246 sleekxmpp_1.3.3-2.dsc
1415a8c9503e19f5a262743dd97e0d6f2d8f9329 22132 sleekxmpp_1.3.3-2.debian.tar.xz
a95e1c93e07f83481d3355323d8032f4684e8e88 902760
python-sleekxmpp_1.3.3-2_all.deb
7c64d062932ab503c5ec8a146e89c7725656bad2 902832
python3-sleekxmpp_1.3.3-2_all.deb
54f197cb2055cf41960d8472e8aeb9a4e764ad35 8470 sleekxmpp_1.3.3-2_amd64.buildinfo
Checksums-Sha256:
0320cecc2a087d92557ebc6dd3edeaba641bcc7e92f65c6b3edc598038b7d94d 2246
sleekxmpp_1.3.3-2.dsc
5926242d31df5a21334dfc6f3614cc7c4417c2ac3084ce3813d62b74984a7398 22132
sleekxmpp_1.3.3-2.debian.tar.xz
dae1358ba9142cf74b961f418832419dabbb11c622fafe5ab0b8cc5de0fd52c6 902760
python-sleekxmpp_1.3.3-2_all.deb
edf13f2a5d2947f81cbc73356189de81d81060459f10a83295b0fcc72e22945e 902832
python3-sleekxmpp_1.3.3-2_all.deb
3db7404383f23304b1f4b08a50bfa824acc36bdd9e405719433c617043b6887d 8470
sleekxmpp_1.3.3-2_amd64.buildinfo
Files:
cecf5f2cc94ceef0226e96b3f60fed7c 2246 python optional sleekxmpp_1.3.3-2.dsc
a1f0ebdda1ab9338c1976a4d6d95e553 22132 python optional
sleekxmpp_1.3.3-2.debian.tar.xz
41828d6a312385ccbeae57384a31fc34 902760 python optional
python-sleekxmpp_1.3.3-2_all.deb
b41a7ad394fe830629a22db3bf7bfaf3 902832 python optional
python3-sleekxmpp_1.3.3-2_all.deb
7ce9b2b4181e46acab707412a273be07 8470 python optional
sleekxmpp_1.3.3-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEftHeo0XZoKEY1KdA4+Chwoa5Y+oFAlp/jxoACgkQ4+Chwoa5
Y+rHBRAAkIgcFQz6NkyVQ6GnTDX2AK7UxtyZe9ey0QBeVqYkjq4Ya7w99n6pespF
M0b2qnS+VJHrU1cbhJ0ebLhlNTZKIaDoqaxAq9oqwnEyIVf+9OE+QBX5z7NNAnnV
LytZusF9SBZDV255g1KuFlUuo4TDDBShl+jNXAjM1aOjFUTBsEjYcunAb2viDAaN
/0f4w1jW7g/vdOJdVetMaPgvkq+d6pel7LmBbjeTG5bTbFf5ldVrzok/v+IY/UDk
Z8NArumJLh7XmJOIBQpkzKiGQIRRuQW9CEFh2DOwocyqIcrr58vxf/P9IZydsFyx
rVSEvgJIfHpWDyYbsK+G//BZ/ZNJzwsSaZa1iyj7kB/gobB5Wl6duOahQt84Eq7P
rRe0s0K9BcuPxubeIjSlW3QKckTETKyHVRzHyiHcdMD0ocgH6OoKAL0+AaMloz8n
insZ9zQA+W0N7UJ7G2JyGhJTgme7m1pZX/W0W8L52W3RU8AZ46FEJsvJS2sztKKV
yhQyv4ebYcTjMsashEix0XYrizR9lxfUR3fcKNffovnCfe/VxoHuXm56eG4Wa1b8
pDvUFB0+SN2r9ZL1lTA+//ZZ7H4bA0PwbI5puxB+2NYOGRbY1vZ34YB3Wz/5LPuM
7sBI5Kf5xJGymOSHJDTiNYBQ2BvZQcvgBHxjylLOxWNtHSH/puw=
=5Iwi
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Python-modules-team mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
