Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable ssl VERIFY_X509_STRICT with self-signed certificate DNS #737

Merged
merged 3 commits into from
Dec 17, 2024
Merged

Disable ssl VERIFY_X509_STRICT with self-signed certificate DNS #737

merged 3 commits into from
Dec 17, 2024

Conversation

therve
Copy link

@therve therve commented Dec 7, 2024

The new flag enforced in Python 3.13 with
python/cpython#107361 doesn't work with the semi broken Freebox self signed certificates.

It should fix home-assistant/core#132333

Fixes #734

@therve
Disable ssl VERIFY_X509_STRICT
b8dd930 
The new flag enforced in Python 3.13 with
python/cpython#107361 doesn't work with the
semi broken Freebox self signed certificates.

It should fix home-assistant/core#132333

Fixes hacf-fr#734
@cyr-ius cyr-ius mentioned this pull request Dec 7, 2024
Open
@SamyDjemai SamyDjemai mentioned this pull request Dec 10, 2024
Closed
@olivierh65
Copy link

olivierh65 commented Dec 13, 2024
edited
Loading

For me, this doesn't solve the problem described in home-assistant/core#132333.

I had to disable certificate verification:

        ssl_ctx = ssl.create_default_context()
        ssl_ctx.load_verify_locations(cafile=cert_path)
      + ssl_ctx.check_hostname = False
      + ssl_ctx.verify_mode = ssl.CERT_NONE

        conn = aiohttp.TCPConnector(ssl_context=ssl_ctx)
        self._session = aiohttp.ClientSession(connector=conn)```

@therve
Copy link
Author

therve commented Dec 14, 2024

It's surprising. There is no reason for the SSL verification to work in python 3.12 and to start failing suddenly with 3.13. The main thing that changed with 3.13 is the 2 additional flags. Can you try disabling VERIFY_X509_PARTIAL_CHAIN?

@olivierh65
Copy link

I tried to disable only VERIFY_X509_PARTIAL_CHAIN , but it didn't solve the problem.

@therve
Copy link
Author

therve commented Dec 14, 2024

OK I'm not sure what's going on. I can confirm that this PR works for me with a Delta.

@Quentame
Copy link
Member

Currently testing on Revolution

@Quentame
Copy link
Member

@olivierh65 : what Freebox model, Freebox firmware version and Python version do you have ?

@Quentame Quentame self-assigned this Dec 15, 2024
@Quentame
Copy link
Member

From py3.11: OK ✅
To py3.13 before your PR: ❌

aiohttp.client_exceptions.ClientConnectorCertificateError: Cannot connect to host mafreebox.freebox.fr:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier (_ssl.c:1018)')]

To py3.13 after your PR: OK ✅

Quentame
Quentame approved these changes Dec 15, 2024
View reviewed changes
Copy link
Member

@Quentame Quentame left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested and working, thanks !

@jeanrobertjs
Copy link

@olivierh65 : what Freebox model, Freebox firmware version and Python version do you have ?

I have the same issue on Freebox Delta.

These are my configs:

Python version = 3.13

and from : http://mafreebox.freebox.fr/api_version I get :

  • "box_model_name": "Freebox v7 (r1)",
  • "https_available": true,
  • "box_model": "fbxgw7-r1/full",
  • "api_version": "12.2",
  • "device_type": "FreeboxServer7,1"

@Quentame How can I test your PR, pls?

@olivierh65
Copy link

olivierh65 commented Dec 16, 2024 via email

@Quentame
Copy link
Member

@jeanrobertjs

How can I test your PR, pls?

By running this file

@olivierh65

If you create a new domain with a let's crypt certificat, and use this domain to connect the plug-in, it should work.

What I wrote there home-assistant/core#132333 (comment) 😉

@Quentame Quentame changed the title Disable ssl VERIFY_X509_STRICT Disable ssl VERIFY_X509_STRICT with self-signed certificate DNS Dec 17, 2024
@Quentame Quentame added the bug Something isn't working label Dec 17, 2024
@Quentame Quentame merged commit 8b2a0d2 into hacf-fr:master Dec 17, 2024
1 check passed
@olivierh65
Copy link

@jeanrobertjs

@olivierh65

If you create a new domain with a let's crypt certificat, and use this domain to connect the plug-in, it should work.

What I wrote there home-assistant/core#132333 (comment) 😉

Yes, it was just a confirmation

This was referenced Dec 17, 2024
Merged
Merged
Merged
@iMicknl iMicknl mentioned this pull request Dec 17, 2024
Merged
C-Duv
C-Duv reviewed Jan 5, 2025
View reviewed changes
src/freebox_api/aiofreepybox.py
@@ -118,6 +118,10 @@ async def open(self, host: str, port: str) -> None:
cert_path = os.path.join(os.path.dirname(__file__), "freebox_certificates.pem")
ssl_ctx = ssl.create_default_context()
ssl_ctx.load_verify_locations(cafile=cert_path)
if ".fbxos.fr" in host or "mafreebox.freebox.fr" in host:
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think an host.endswith(".fboxos.fr") and host = "mafreebox.freebox.fr" would be safer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Quentame Quentame Quentame approved these changes

@olivierh65 olivierh65 olivierh65 left review comments

@C-Duv C-Duv C-Duv left review comments

Assignees

@Quentame Quentame

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
5 participants
@therve @olivierh65 @Quentame @jeanrobertjs @C-Duv