458572 – net-im/gajim-0.15.2-r2: can't connect to some servers - TypeError: 'X509' object has no attribute '__getitem__'

Bug 458572 - net-im/gajim-0.15.2-r2: can't connect to some servers - TypeError: 'X509' object has no attribute '__getitem__'

Summary: net-im/gajim-0.15.2-r2: can't connect to some servers - TypeError: 'X509' obj...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Justin Lecher (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2013-02-21 11:46 UTC by Alexander Tsoy
Modified:	2013-04-23 10:47 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
connection.py (connection.py,110.85 KB, text/plain) 2013-02-21 17:57 UTC, Alexander Tsoy	Details
emerge --info gajim (emerge-info-gajim,5.59 KB, text/plain) 2013-02-22 19:21 UTC, Alexander Tsoy	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Tsoy 2013-02-21 11:46:54 UTC

gajim-0.15.2-r2 fails to connect to some servers. Maybe applying of one patch which fix Bug 442860 is not enough and some other patches should be applied too? I get this traceback on stderr:

Traceback (most recent call last):
  File "/usr/lib64/python2.7/site-packages/gajim/common/xmpp/idlequeue.py", line 533, in _process_events
    return IdleQueue._process_events(self, fd, flags)
  File "/usr/lib64/python2.7/site-packages/gajim/common/xmpp/idlequeue.py", line 394, in _process_events
    obj.pollin()
  File "/usr/lib64/python2.7/site-packages/gajim/common/xmpp/transports_nb.py", line 414, in pollin
    self._do_receive()
  File "/usr/lib64/python2.7/site-packages/gajim/common/xmpp/transports_nb.py", line 600, in _do_receive
    self._on_receive(received)
  File "/usr/lib64/python2.7/site-packages/gajim/common/xmpp/transports_nb.py", line 614, in _on_receive
    self.on_receive(data)
  File "/usr/lib64/python2.7/site-packages/gajim/common/xmpp/client_nb.py", line 318, in <lambda>
    self.onreceive(lambda _data:self._xmpp_connect_machine(mode, _data))
  File "/usr/lib64/python2.7/site-packages/gajim/common/xmpp/client_nb.py", line 353, in _xmpp_connect_machine
    self._xmpp_connect_machine(mode='STREAM_STARTED')
  File "/usr/lib64/python2.7/site-packages/gajim/common/xmpp/client_nb.py", line 376, in _xmpp_connect_machine
    self._on_stream_start()
  File "/usr/lib64/python2.7/site-packages/gajim/common/xmpp/client_nb.py", line 412, in _on_stream_start
    self._on_connect()
  File "/usr/lib64/python2.7/site-packages/gajim/common/xmpp/client_nb.py", line 449, in _on_connect
    self.on_connect(self, self.connected)
  File "/usr/lib64/python2.7/site-packages/gajim/common/connection.py", line 1285, in _connect_success
    return self.connection_accepted(con, con_type)
  File "/usr/lib64/python2.7/site-packages/gajim/common/connection.py", line 1329, in connection_accepted
    certificate=con.Connection.ssl_certificate[i]))
TypeError: 'X509' object has no attribute '__getitem__'


gajim-0.15.2 works fine

Reproducible: Always

Comment 1 Justin Lecher (RETIRED) gentoo-dev

2013-02-21 16:44:10 UTC

Please test version 0.15.2-r3.

Comment 2 Justin Lecher (RETIRED) gentoo-dev

2013-02-21 16:56:28 UTC

no you are right.

Comment 3 Justin Lecher (RETIRED) gentoo-dev

2013-02-21 17:47:29 UTC

could you please attach 
/usr/lib64/python2.7/site-packages/gajim/common/connection.py

Comment 4 Alexander Tsoy 2013-02-21 17:57:12 UTC

Created attachment 339612 [details]
connection.py

Comment 5 Justin Lecher (RETIRED) gentoo-dev

2013-02-22 17:33:45 UTC

Could you please attach the output of

emerge --info gajim

Comment 6 Alexander Tsoy 2013-02-22 19:11:42 UTC

If I add corresponding CA certificate of a problematic server to ~/.local/share/gajim/secrets, then instead of a traceback I get a message box with this error:

"It seems the SSL certificate of account xxxxxxxx.xx has changed or your connection is being hacked.
Old fingerprint: 88:E3:E5:32:D9:59:8D:AD:6A:E2:A1:14:BA:A9:20:01:14:6D:C0:C2
New fingerprint: 2

Do you still want to connect and update the fingerprint of the certificate?"

%)

Comment 7 Alexander Tsoy 2013-02-22 19:21:05 UTC

Created attachment 339736 [details]
emerge --info gajim

Comment 8 Justin Lecher (RETIRED) gentoo-dev

2013-02-22 21:31:25 UTC

(In reply to comment #6)
> If I add corresponding CA certificate of a problematic server to
> ~/.local/share/gajim/secrets, then instead of a traceback I get a message
> box with this error:
> 
> "It seems the SSL certificate of account xxxxxxxx.xx has changed or your
> connection is being hacked.
> Old fingerprint: 88:E3:E5:32:D9:59:8D:AD:6A:E2:A1:14:BA:A9:20:01:14:6D:C0:C2
> New fingerprint: 2
> 
> Do you still want to connect and update the fingerprint of the certificate?"
> 
> %)

I also saw this. that's bad. Hopefully upstream will relesease soonish so that we can fix this.
I will see what I can do.

Comment 9 Nikolay Edigaryev 2013-02-23 09:38:51 UTC

>I will see what I can do.

Atleast remove the code from patch that changes con.Connection.ssl_fingerprint_sha1 to con.Connection.ssl_fingerprint_sha1[-1] and con.Connection.ssl_cert_pem to con.Connection.ssl_cert_pem[-1] — these variables have type 'str', not 'list', so the patch (gajim-0.15.2-CVE-2012-5524.patch) is partially incorrect.

Comment 10 Justin Lecher (RETIRED) gentoo-dev

2013-02-23 09:48:55 UTC

(In reply to comment #9)
> 'list', so the patch (gajim-0.15.2-CVE-2012-5524.patch) is partially
> incorrect.

You are absolutely right. I add what upstream commited as fix for this issue, but it seems they added some more code changes which aren't related to this issue.

I am testing the corrected patch and will commit it if everything is fie.

Comment 11 Justin Lecher (RETIRED) gentoo-dev

2013-02-23 10:28:14 UTC

I corrected the patch to fix the fingerprint issue. Could you please try and see whether everything is working again?

Comment 12 Justin Lecher (RETIRED) gentoo-dev

2013-02-23 10:32:29 UTC

+*gajim-0.15.2-r4 (23 Feb 2013)
+
+  23 Feb 2013; Justin Lecher <jlec@gentoo.org> -gajim-0.15.2-r2.ebuild,
+  gajim-0.15.2-r3.ebuild, +gajim-0.15.2-r4.ebuild,
+  files/gajim-0.15.2-CVE-2012-5524.patch:
+  Drop parts of upstream which should fix CVE-2012-5524 but added more code
+  which is incompatible with current implementation
+

Comment 13 Nikolay Edigaryev 2013-02-23 14:13:58 UTC

(In reply to comment #11)
> I corrected the patch to fix the fingerprint issue. Could you please try and
> see whether everything is working again?

I can confirm that the new patch fixes the issue with SHA-1 fingerprint, thanks.

Comment 14 Justin Lecher (RETIRED) gentoo-dev

2013-02-24 09:56:56 UTC

Alexander, is you problem also fixed?

Comment 15 Alexander Tsoy 2013-02-24 14:41:04 UTC

(In reply to comment #14)
> Alexander, is you problem also fixed?

Problem with SHA-1 fingerprint is fixed. But there is another problem: gajim-0.15.2-r3 silently fails to connect to the server if CA certificate is unavailable. Vanilla gajim-0.15.2 in this case shows an error message and allow to ignore this error in the future:

"There was an error verifying the SSL certificate of your jabber server: The authenticity of the xxxxxxx.xx certificate could be invalid.
SSL Error: Unable to verify the first certificate
Do you still want to connect to this server?"

Comment 16 Justin Lecher (RETIRED) gentoo-dev

2013-03-18 08:45:52 UTC

could you please try 0.15.3 and see how that works?

Comment 17 Alexander Tsoy 2013-03-18 14:27:13 UTC

0.15.3 works as expected.