I had a look, but have not yet been able to figure out the correct
solution.
I tested this draft patch, but it is incomplete and not working.
--- /usr/lib/python3/dist-packages/sockschain/__init__.py.orig 2024-07-10
07:20:11.900229940 +0200
+++ /usr/lib/python3/dist-packages/sockschain/__init__.py 2024-07-10
07:23:32.072978598 +0200
@@ -105,7 +105,7 @@
from OpenSSL import SSL
HAVE_SSL = HAVE_PYOPENSSL = True
- def SSL_Connect(ctx, sock,
+ def SSL_Connect(ctx, sock, destaddr, destport,
server_side=False, accepted=False, connected=False,
verify_names=None):
if DEBUG: DEBUG('*** TLS is provided by pyOpenSSL')
@@ -191,27 +191,24 @@
return (valid > 0)
- def SSL_Connect(ctx, sock,
+ def SSL_Connect(ctx, sock, destaddr, destport,
server_side=False, accepted=False, connected=False,
verify_names=None):
if DEBUG: DEBUG('*** TLS is provided by native Python ssl')
reqs = (verify_names and ssl.CERT_REQUIRED or ssl.CERT_NONE)
+ context = ssl.create_default_context()
+
+ with socket.create_connection((destaddr, destport)) as sock:
try:
- fd = ssl.wrap_socket(sock, keyfile=ctx.privatekey_file,
- certfile=ctx.certchain_file,
- cert_reqs=reqs,
- ca_certs=ctx.ca_certs,
+ fd = context.wrap_socket(sock,
do_handshake_on_connect=False,
- ssl_version=ctx.method,
ciphers=ctx.ciphers,
+ server_hostname=destaddr,
server_side=server_side)
except:
- fd = ssl.wrap_socket(sock, keyfile=ctx.privatekey_file,
- certfile=ctx.certchain_file,
- cert_reqs=reqs,
- ca_certs=ctx.ca_certs,
+ fd = context.wrap_socket(sock,
do_handshake_on_connect=False,
- ssl_version=ctx.method,
+ server_hostname=destaddr,
server_side=server_side)
if verify_names:
@@ -962,7 +959,7 @@
ctx.load_verify_locations(ca_certs)
self.__sock.setblocking(1)
- self.__sock = SSL_Connect(ctx, self.__sock,
+ self.__sock = SSL_Connect(ctx, self.__sock, destaddr, destport,
connected=True, verify_names=want_hosts)
except:
if DEBUG: DEBUG('*** SSL problem: %s/%s/%s' % (sys.exc_info(),
I now get this error about incorrect certificate:
juli 10 07:24:45 freedombox pagekite[17017]: ts=668e1b1d;
t=2024-07-10T05:24:45; ll=15; err=Error in connect: Traceback (most
recent call last): File
"/usr/lib/python3/dist-packages/pagekite/proto/conns.py", line 647, in
_BackEnd data, parse = self._Connect(server, conns)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File
"/usr/lib/python3/dist-packages/pagekite/proto/conns.py", line 466, in
_Connect self.fd.connect((sspec[0], int(sspec[1]))) File
"/usr/lib/python3/dist-packages/sockschain/__init__.py", line 1055, in
connect self.__negotiatessl(nexthop[0], nexthop[1], proxy, File
"/usr/lib/python3/dist-packages/sockschain/__init__.py", line 962, in
__negotiatessl self.__sock = SSL_Connect(ctx, self.__sock, destaddr,
destport, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File
"/usr/lib/python3/dist-packages/sockschain/__init__.py", line 215, in
SSL_Connect fd.do_handshake() File "/usr/lib/python3.12/ssl.py", line
1320, in do_handshake self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed: IP address mismatch, certificate is not
valid for '95.216.167.199'. (_ssl.c:1000)
Perhaps the problem is using IP and not name? Hope to find time to
investigate further.
--
Happy hacking
Petter Reinholdtsen
