Summary: | net-im/gajim-0.15.2-r2: can't connect to some servers - TypeError: 'X509' object has no attribute '__getitem__' | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Alexander Tsoy <alexander> |
Component: | Current packages | Assignee: | Justin Lecher (RETIRED) <jlec> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | net-im |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: |
connection.py
emerge --info gajim |
Description
Alexander Tsoy
2013-02-21 11:46:54 UTC
Please test version 0.15.2-r3. no you are right. could you please attach /usr/lib64/python2.7/site-packages/gajim/common/connection.py Created attachment 339612 [details]
connection.py
Could you please attach the output of emerge --info gajim If I add corresponding CA certificate of a problematic server to ~/.local/share/gajim/secrets, then instead of a traceback I get a message box with this error: "It seems the SSL certificate of account xxxxxxxx.xx has changed or your connection is being hacked. Old fingerprint: 88:E3:E5:32:D9:59:8D:AD:6A:E2:A1:14:BA:A9:20:01:14:6D:C0:C2 New fingerprint: 2 Do you still want to connect and update the fingerprint of the certificate?" %) Created attachment 339736 [details]
emerge --info gajim
(In reply to comment #6) > If I add corresponding CA certificate of a problematic server to > ~/.local/share/gajim/secrets, then instead of a traceback I get a message > box with this error: > > "It seems the SSL certificate of account xxxxxxxx.xx has changed or your > connection is being hacked. > Old fingerprint: 88:E3:E5:32:D9:59:8D:AD:6A:E2:A1:14:BA:A9:20:01:14:6D:C0:C2 > New fingerprint: 2 > > Do you still want to connect and update the fingerprint of the certificate?" > > %) I also saw this. that's bad. Hopefully upstream will relesease soonish so that we can fix this. I will see what I can do. >I will see what I can do.
Atleast remove the code from patch that changes con.Connection.ssl_fingerprint_sha1 to con.Connection.ssl_fingerprint_sha1[-1] and con.Connection.ssl_cert_pem to con.Connection.ssl_cert_pem[-1] — these variables have type 'str', not 'list', so the patch (gajim-0.15.2-CVE-2012-5524.patch) is partially incorrect.
(In reply to comment #9) > 'list', so the patch (gajim-0.15.2-CVE-2012-5524.patch) is partially > incorrect. You are absolutely right. I add what upstream commited as fix for this issue, but it seems they added some more code changes which aren't related to this issue. I am testing the corrected patch and will commit it if everything is fie. I corrected the patch to fix the fingerprint issue. Could you please try and see whether everything is working again? +*gajim-0.15.2-r4 (23 Feb 2013) + + 23 Feb 2013; Justin Lecher <jlec@gentoo.org> -gajim-0.15.2-r2.ebuild, + gajim-0.15.2-r3.ebuild, +gajim-0.15.2-r4.ebuild, + files/gajim-0.15.2-CVE-2012-5524.patch: + Drop parts of upstream which should fix CVE-2012-5524 but added more code + which is incompatible with current implementation + (In reply to comment #11) > I corrected the patch to fix the fingerprint issue. Could you please try and > see whether everything is working again? I can confirm that the new patch fixes the issue with SHA-1 fingerprint, thanks. Alexander, is you problem also fixed? (In reply to comment #14) > Alexander, is you problem also fixed? Problem with SHA-1 fingerprint is fixed. But there is another problem: gajim-0.15.2-r3 silently fails to connect to the server if CA certificate is unavailable. Vanilla gajim-0.15.2 in this case shows an error message and allow to ignore this error in the future: "There was an error verifying the SSL certificate of your jabber server: The authenticity of the xxxxxxx.xx certificate could be invalid. SSL Error: Unable to verify the first certificate Do you still want to connect to this server?" could you please try 0.15.3 and see how that works? 0.15.3 works as expected. |