[Pkg-privacy-maintainers] Bug#1105177: onionprobe: TLS (https) probes fail to verify certificates

Gabriel Filion lelutin at torproject.org
Mon May 12 21:56:43 BST 2025 

Package: onionprobe
Version: 1.2.0+ds-1
Severity: normal
Tags: upstream patch

Hello,

I've just tried setting up onionprobe 1.2.0 on a trixie host to make it 
monitor a .onion service with https (on port 443). After some delay, 
onionprobe checked the site and showed the following errors:

May 12 20:13:48 hetzner-nbg1-01 onionprobe[584091]: 2025-05-12 
20:13:48,480 INFO: Trying to do a TLS connection to 
v236xhqtyullodhf26szyjepvkbv6iitrhjgrqj4avaoukebkk6n6syd.onion on port 
443 (attempt 1)...
May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]: 2025-05-12 
20:13:50,194 INFO: TLS connection succeeded at 
v236xhqtyullodhf26szyjepvkbv6iitrhjgrqj4avaoukebkk6n6syd.onion on port 443
May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]: 2025-05-12 
20:13:50,194 INFO: Retrieving certificate information for 
v236xhqtyullodhf26szyjepvkbv6iitrhjgrqj4avaoukebkk6n6syd.onion on port 443
May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]: 
/usr/lib/python3/dist-packages/onionprobe/certificate.py:212: 
CryptographyDeprecationWarning: Properties that return a naïve datetime 
object have been deprecated. Please switch to not_valid_before_utc.
May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]:   not_valid_before = 
cert.not_valid_before.timestamp()
May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]: 
/usr/lib/python3/dist-packages/onionprobe/certificate.py:213: 
CryptographyDeprecationWarning: Properties that return a naïve datetime 
object have been deprecated. Please switch to not_valid_after_utc.
May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]:   not_valid_after  = 
cert.not_valid_after.timestamp()
May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]: 
/usr/lib/python3/dist-packages/onionprobe/certificate.py:142: 
CryptographyDeprecationWarning: Properties that return a naïve datetime 
object have been deprecated. Please switch to not_valid_after_utc.
May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]:   'notAfter' 
: cert.not_valid_after.replace(
May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]: 
/usr/lib/python3/dist-packages/onionprobe/certificate.py:144: 
CryptographyDeprecationWarning: Properties that return a naïve datetime 
object have been deprecated. Please switch to not_valid_before_utc.
May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]:   'notBefore' 
: cert.not_valid_before.replace(
May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]: 
/usr/lib/python3/dist-packages/onionprobe/certificate.py:177: 
CryptographyDeprecationWarning: Properties that return a naïve datetime 
object have been deprecated. Please switch to not_valid_after_utc.
May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]:   not_valid_after = 
cert.not_valid_after.replace(tzinfo=timezone.utc).timestamp()
May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]: 2025-05-12 
20:13:50,198 ERROR: module 'ssl' has no attribute 'match_hostname'


the result is a metric onion_service_valid_certificate exported to 
prometheus with a value of 2 indicating that the certificate is invalid, 
but curl is able to reach the website without erors. really the issue 
seems to be that the code failed to run its verification.

upstream has already addressed the errors above so we could backport the 
patches:

https://gitlab.torproject.org/tpo/onion-services/onionprobe/-/commit/26b18404cdd3bb64d73eba0df6b09b014232d3ae

https://gitlab.torproject.org/tpo/onion-services/onionprobe/-/merge_requests/110/commits


cheers!

-- System Information:
Debian Release: trixie/sid
   APT prefers unstable
   APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.12.22-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE 
not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages onionprobe depends on:
ii  adduser                    3.150
ii  init-system-helpers        1.68
ii  python3                    3.13.3-1
ii  python3-cryptography       43.0.0-2
ii  python3-prometheus-client  0.21.1+ds1-1
ii  python3-requests           2.32.3+dfsg-5
ii  python3-socks              1.7.1+dfsg-1
pn  python3-stem               <none>
ii  python3-yaml               6.0.2-1+b2
ii  tor                        0.4.8.16-1

onionprobe recommends no packages.

Versions of packages onionprobe suggests:
pn  prometheus  <none>

More information about the Pkg-privacy-maintainers mailing list