[Python-modules-team] Bug#864257: python3-sleekxmpp: TLS certificate verification fails

Gerald Turner gturner at unzane.com
Mon Jun 5 19:08:51 UTC 2017 

Package: python3-sleekxmpp
Version: 1.3.1-6
Severity: normal

Dear Maintainer,

I have been using painintheapt on several systems running jessie,
jessie-backports, and stretch.  For quite some time the hosts running
jessie-backports and stretch have been failing to execute painintheapt,
in fact there's an infinite loop.  Today I decided to investigate the
problem and discovered a bug in sleekxmpp.

I tweaked a copy of the painintheapt script to enable debug logging
which produced the following output, with reconnection attempts repeated
indefinitely:

  DEBUG    Waiting 2.072999311351683 seconds before connecting.
  DEBUG    DNS: Querying SRV records for unzane.com
  DEBUG    DNS: Querying jabber.unzane.com for AAAA records.
  DEBUG    DNS: Querying jabber.unzane.com for A records.
  DEBUG    Connecting to [2001:470:e861:4::2]:5222
  DEBUG    Event triggered: connected
  DEBUG     ==== TRANSITION disconnected -> connected
  DEBUG    Starting HANDLER THREAD
  DEBUG    Loading event runner
  DEBUG    SEND (IMMED): <stream:stream to='unzane.com' xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' xml:lang='en' version='1.0'>
  DEBUG    RECV: <stream:stream id="15762184421087048225" version="1.0" from="unzane.com" xml:lang="en">
  DEBUG    RECV: <stream:features xmlns="http://etherx.jabber.org/streams"><c xmlns="http://jabber.org/protocol/caps" node="http://www.process-one.net/en/ejabberd/" hash="sha-1" ver="N+nCub6oxVjIxxoREHOeJv4wQNU=" /><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required /></starttls><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression></stream:features>
  DEBUG    SEND (IMMED): <starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required /></starttls>
  DEBUG    RECV: <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls" />
  DEBUG    Starting TLS
  INFO     Negotiating TLS
  INFO     Using SSL version: TLSv1
  DEBUG    CERT: -----BEGIN CERTIFICATE-----
  MIIGdjCCBF6gAwIBAgIEALIrzTANBgkqhkiG9w0BAQsFADBdMTgwNgYDVQQDEy9V
  bnphbmUgSW50ZXJtZWRpYXRlIENlcnRpZmljYXRlIEF1dGhvcml0eSAoUlNBKTEh
  MB8GA1UECgwY8J+GhPCfhb3wn4aJ8J+FsPCfhb3wn4W0MCIYDzIwMTQwNDA3MTcy
  NzAwWhgPMjAzODAxMTkwMzE0MDdaMCIxIDAeBgNVBAMTF255YXJsYXRob3RlcC51
  bnphbmUuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo/IzfzDD
  EHc1NO/EzOGT8+l8Uqiu2ZLt89gohrxgohijWRFLJCJHoD8Q9NgVhYRXPQMzWxC1
  hzZfps8UDGUeDfgfEbW2NdvXRElSUexgcb4pqIJlQEUQ7qe22mETMqYwu7jSgswz
  Rg7LQqbNRQRKYQRbAezhGe/reHm8mhKoV6guz7XPBHGxJMvWxgiwfNXFZJ3tlp7W
  Qu0zz/f/CZKS+Y5QqfAcwyfbnD/jV4ekixi/utt77Qq3AhxbZmW6TuoKuGiD9JBA
  +51XFbI3Xkf5yokfZaj7cVGes+ntZMNmDOXyuHnf1zsUYfDentWqwclMdjPO6hu4
  oagzy245PlsAiRgdFqrngrimTmKn+Ab/uaMq/y+XU5e1wnBP1WgWynFmfIw3fXhI
  gRjrrnM2tcLshS0Tmwf8NAUivKS+yf5wEdFdXmAWwjaOqIm4Co7PxCb722X4MaR4
  0y9whFDVFl87wv2C21n0yPRqnsk6CViSA1NqFk7IEiYF/VrQRZ5wtZor4ImzLyNM
  gfaI7WrkbnRn5isSZZn3CIKkSelcVADPAq0XuLqAcY4pr3ttt3DJd9bgYRsKq9ZQ
  f408fRlLmVbxYh2sl15p8uowClHTxng7wnuMt+kCVL8TACXiohnF7TrvOL+/5zjz
  jzgCgC8NfHnhnCyY/jlOOqnOewS44Dx7o4UCAwEAAaOCAXMwggFvMAwGA1UdEwEB
  /wQCMAAwJwYDVR0lBCAwHgYIKwYBBQUHAwIGCCsGAQUFBwMBBggrBgEFBQcDETCB
  owYDVR0RBIGbMIGYghdueWFybGF0aG90ZXAudW56YW5lLmNvbYIKdW56YW5lLmNv
  bYIRamFiYmVyLnVuemFuZS5jb22CEyouamFiYmVyLnVuemFuZS5jb22CEHdlYXZl
  LnVuemFuZS5jb22CD3NvZ28udW56YW5lLmNvbYITZnVuYW1ib2wudW56YW5lLmNv
  bYIRbXVtYmxlLnVuemFuZS5jb20wDwYDVR0PAQH/BAUDAwegADAdBgNVHQ4EFgQU
  2aIsO1Rktllh9KaeS6LqBYp2A+cwHwYDVR0jBBgwFoAUuz3o+9sxu31sw58Q19zU
  HVuefiUwPwYDVR0fBDgwNjA0oDKgMIYuaHR0cHM6Ly93d3cudW56YW5lLmNvbS94
  NTA5L3Jldm9jYXRpb24tcnNhLnBlbTANBgkqhkiG9w0BAQsFAAOCAgEAmGKimuSw
  xMtIomsygb0U1qoui5h2pkhI5UnPMAFvUm5bMwkSHgrMhyC31P2XI1zA9FovtTxV
  Olm8RrdPV0wJ/tgfBHLZ6a8DpuEYhD+1llrQ81RowcfQHYsdKs2SHuChe85hJiVz
  IpZZXDXKsiyKnrvtOPETitWI+KhYcEDChO/kwoL3jG6ffKhjrkNDXO4iuiwTJidN
  CHNmkKWKwN1ywXmuopt5eD6x/QMPjs45GPL7WU5FtHcdjDHPcWv4xl4yXj/O2HBy
  RgoshWLdxOisP7Cy+BT6IM9PwqqNF657ke7nsdZr/BA2AdXlcwObGixLqLMcz6On
  IGR8RfenmcZVBWrZnMOPuv9snJZzPWmbYGl/v0Tk+L72WhJa4/22TnjJWRmq4Daq
  DLOZYQtsV/FPHM+Q+Je9amR7CXZx/j+s97ZVQEaj5Y6bqgQoTL36L2LtKlUo2tI2
  y4FjGiMdI+bqOqfe1TOV6F4NoepDoAtT6DUvH/rdB2GV8MKe8YPaimhJe62L9gzx
  LkuFv4uPO+qhzP8MN9tbB3F6jyHYJI7d0sn2WFzFIBlbNkaI3oYvxevpugEkLP1t
  KgeGGXolMxYz8S9rNTr9aSSYjLVsdOsTOMS6h0nvFIF/EhvWOqIDAXkj+v9TIwyH
  j3shn0Jwh8RgTYLNHNyD36+MO6p5imiVODg=
  -----END CERTIFICATE-----

  DEBUG    Event triggered: ssl_cert
  ERROR    time data '20140407172700Z' does not match format '%y%m%d%H%M%SZ'
  Traceback (most recent call last):
    File "/usr/lib/python3/dist-packages/sleekxmpp/xmlstream/xmlstream.py", line 1492, in _process
      if not self.__read_xml():
    File "/usr/lib/python3/dist-packages/sleekxmpp/xmlstream/xmlstream.py", line 1564, in __read_xml
      self.__spawn_event(xml)
    File "/usr/lib/python3/dist-packages/sleekxmpp/xmlstream/xmlstream.py", line 1632, in __spawn_event
      handler.prerun(stanza_copy)
    File "/usr/lib/python3/dist-packages/sleekxmpp/xmlstream/handler/callback.py", line 64, in prerun
      self.run(payload, True)
    File "/usr/lib/python3/dist-packages/sleekxmpp/xmlstream/handler/callback.py", line 76, in run
      self._pointer(payload)
    File "/usr/lib/python3/dist-packages/sleekxmpp/features/feature_starttls/starttls.py", line 64, in _handle_starttls_proceed
      if self.xmpp.start_tls():
    File "/usr/lib/python3/dist-packages/sleekxmpp/xmlstream/xmlstream.py", line 889, in start_tls
      cert.verify(self._expected_server_name, self._der_cert)
    File "/usr/lib/python3/dist-packages/sleekxmpp/xmlstream/cert.py", line 141, in verify
      not_before, not_after = extract_dates(raw_cert)
    File "/usr/lib/python3/dist-packages/sleekxmpp/xmlstream/cert.py", line 118, in extract_dates
      not_before = datetime.strptime(not_before, '%y%m%d%H%M%SZ')
    File "/usr/lib/python3.5/_strptime.py", line 510, in _strptime_datetime
      tt, fraction = _strptime(data_string, format)
    File "/usr/lib/python3.5/_strptime.py", line 343, in _strptime
      (data_string, format))
  ValueError: time data '20140407172700Z' does not match format '%y%m%d%H%M%SZ'
  DEBUG    reconnecting...
  DEBUG    Event triggered: session_end
  DEBUG    SEND (IMMED): </stream:stream>
  INFO     Waiting for </stream:stream> from server
  DEBUG    Event triggered: disconnected
  DEBUG     ==== TRANSITION connected -> disconnected
  DEBUG    connecting...
  DEBUG    Waiting 2.238069225097097 seconds before connecting.
  ...

The "ValueError: time data '20140407172700Z' does not match format
'%y%m%d%H%M%SZ'" exception shows that sleekxmpp is expecting a two digit year
rather than a four digit year.

Further inspection of the extract_dates function in xmlstream/cert.py reveals
some programming mistakes:

  def extract_dates(raw_cert):
      if not HAVE_PYASN1:
          log.warning("Could not find pyasn1 and pyasn1_modules. " + \
                      "SSL certificate expiration COULD NOT BE VERIFIED.")
          return None, None

      cert = decoder.decode(raw_cert, asn1Spec=Certificate())[0]
      tbs = cert.getComponentByName('tbsCertificate')
      validity = tbs.getComponentByName('validity')

      not_before = validity.getComponentByName('notBefore')
①     not_before = str(not_before.getComponent())

      not_after = validity.getComponentByName('notAfter')
①     not_after = str(not_after.getComponent())

②     if isinstance(not_before, GeneralizedTime):
          not_before = datetime.strptime(not_before, '%Y%m%d%H%M%SZ')
      else:
③         not_before = datetime.strptime(not_before, '%y%m%d%H%M%SZ')

②     if isinstance(not_after, GeneralizedTime):
          not_after = datetime.strptime(not_after, '%Y%m%d%H%M%SZ')
      else:
③         not_after = datetime.strptime(not_after, '%y%m%d%H%M%SZ')

      return not_before, not_after

At ①, the use of str() causes the isinstance() test at ② always be False
resulting in strptime() calls at ③ which use %y instead of %Y and throw
ValueError.

It looks like this was for some compatibility with ancient versions of
pyasn1.

-- System Information:
Debian Release: 9.0
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (50, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages python3-sleekxmpp depends on:
ii  python3                 3.5.3-1
ii  python3-dnspython       1.15.0-1
ii  python3-pyasn1          0.1.9-2
ii  python3-pyasn1-modules  0.0.7-0.1

Versions of packages python3-sleekxmpp recommends:
ii  python3-dateutil  2.5.3-2
ii  python3-gnupg     0.3.9-1
ii  python3-socks     1.6.5-1

python3-sleekxmpp suggests no packages.

-- no debconf information

-- 
Gerald Turner <gturner at unzane.com>        Encrypted mail preferred!
OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80  3858 EC94 2276 FDB8 716D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/python-modules-team/attachments/20170605/debef765/attachment.sig>

More information about the Python-modules-team mailing list