[tahoe-lafs-trac-stream] [Tahoe-LAFS] #2791: Tahoe CLI / SSL certificate

Tahoe-LAFS trac at tahoe-lafs.org
Sun Jul 3 18:27:46 UTC 2016 

#2791: Tahoe CLI / SSL certificate
-----------------------------------+-----------------------
     Reporter:  cedric             |      Owner:
         Type:  defect             |     Status:  new
     Priority:  normal             |  Milestone:  undecided
    Component:  code-frontend-cli  |    Version:  1.11.0
   Resolution:                     |   Keywords:
Launchpad Bug:                     |
-----------------------------------+-----------------------
Changes (by warner):

 * component:  unknown => code-frontend-cli


Old description:

> Hi,
>
> I'm running a small grid with few nodes.
> I use Web API through HTTPS with self signed certificates/Internal CA
> I'm dealing with some troubles when i call tahoe cli (eg: tahoe create-
> alias....).
>
> "tahoe create-alias test" return error:
> Traceback (most recent call last):
>   File "/venv/local/lib/python2.7/site-
> packages/allmydata/scripts/runner.py", line 162, in run
>     rc = runner(sys.argv[1:], install_node_control=install_node_control)
>   File "/venv/local/lib/python2.7/site-
> packages/allmydata/scripts/runner.py", line 147, in runner
>     rc = cli.dispatch[command](so)
>   File "/venv/local/lib/python2.7/site-
> packages/allmydata/scripts/cli.py", line 486, in create_alias
>     rc = tahoe_add_alias.create_alias(options)
>   File "/venv/local/lib/python2.7/site-
> packages/allmydata/scripts/tahoe_add_alias.py", line 85, in create_alias
>     resp = do_http("POST", url)
>   File "/venv/local/lib/python2.7/site-
> packages/allmydata/scripts/common_http.py", line 70, in do_http
>     c.endheaders()
>   File "/usr/lib/python2.7/httplib.py", line 997, in endheaders
>     self._send_output(message_body)
>   File "/usr/lib/python2.7/httplib.py", line 850, in _send_output
>     self.send(msg)
>   File "/usr/lib/python2.7/httplib.py", line 812, in send
>     self.connect()
>   File "/usr/lib/python2.7/httplib.py", line 1212, in connect
>     server_hostname=server_hostname)
>   File "/usr/lib/python2.7/ssl.py", line 350, in wrap_socket
>     _context=self)
>   File "/usr/lib/python2.7/ssl.py", line 566, in __init__
>     self.do_handshake()
>   File "/usr/lib/python2.7/ssl.py", line 796, in do_handshake
>     match_hostname(self.getpeercert(), self.server_hostname)
>   File "/usr/lib/python2.7/ssl.py", line 273, in match_hostname
>     % (hostname, dnsnames[0]))
> CertificateError: hostname '127.0.0.1' doesn't match u'Myhostname'
>
> SSL certificate has CN=Myhostname and an alternative name IP.1=127.0.0.1.
> CA certificate is available in /etc/ssl/certs/ and c_rehash done.
>
> openssl s_client -connect 127.0.0.1:3456 -CApath /etc/ssl/certs/ return
> "Ok".
>
> It seem that ssl.py is only try to verify CN == hostname, there is no
> verification on alternative name.
>
> The only way i've found to get tahoe cli working is to change node.url by
> replacing https://127.0.0.1:3456 by https://Myhostname:3456
>
> I missed something?
>
> Thanks for your help and thanks for the great job on Tahoe-LAFS!

New description:

 Hi,

 I'm running a small grid with few nodes.
 I use Web API through HTTPS with self signed certificates/Internal CA
 I'm dealing with some troubles when i call tahoe cli (eg: tahoe create-
 alias....).

 "tahoe create-alias test" return error:
 {{{
 Traceback (most recent call last):
   File "/venv/local/lib/python2.7/site-
 packages/allmydata/scripts/runner.py", line 162, in run
     rc = runner(sys.argv[1:], install_node_control=install_node_control)
   File "/venv/local/lib/python2.7/site-
 packages/allmydata/scripts/runner.py", line 147, in runner
     rc = cli.dispatch[command](so)
   File "/venv/local/lib/python2.7/site-packages/allmydata/scripts/cli.py",
 line 486, in create_alias
     rc = tahoe_add_alias.create_alias(options)
   File "/venv/local/lib/python2.7/site-
 packages/allmydata/scripts/tahoe_add_alias.py", line 85, in create_alias
     resp = do_http("POST", url)
   File "/venv/local/lib/python2.7/site-
 packages/allmydata/scripts/common_http.py", line 70, in do_http
     c.endheaders()
   File "/usr/lib/python2.7/httplib.py", line 997, in endheaders
     self._send_output(message_body)
   File "/usr/lib/python2.7/httplib.py", line 850, in _send_output
     self.send(msg)
   File "/usr/lib/python2.7/httplib.py", line 812, in send
     self.connect()
   File "/usr/lib/python2.7/httplib.py", line 1212, in connect
     server_hostname=server_hostname)
   File "/usr/lib/python2.7/ssl.py", line 350, in wrap_socket
     _context=self)
   File "/usr/lib/python2.7/ssl.py", line 566, in __init__
     self.do_handshake()
   File "/usr/lib/python2.7/ssl.py", line 796, in do_handshake
     match_hostname(self.getpeercert(), self.server_hostname)
   File "/usr/lib/python2.7/ssl.py", line 273, in match_hostname
     % (hostname, dnsnames[0]))
 CertificateError: hostname '127.0.0.1' doesn't match u'Myhostname'
 }}}

 SSL certificate has CN=Myhostname and an alternative name IP.1=127.0.0.1.
 CA certificate is available in /etc/ssl/certs/ and c_rehash done.

 openssl s_client -connect 127.0.0.1:3456 -CApath /etc/ssl/certs/ return
 "Ok".

 It seem that ssl.py is only try to verify CN == hostname, there is no
 verification on alternative name.

 The only way i've found to get tahoe cli working is to change node.url by
 replacing https://127.0.0.1:3456 by https://Myhostname:3456

 I missed something?

 Thanks for your help and thanks for the great job on Tahoe-LAFS!

--

Comment:

 Hm, it might be that it isn't paying attention to the "alternative name",
 or maybe it's just unwilling to accept numeric IP addresses at all (or
 maybe just 127.0.0.1 .. no CA would issue one like that, so maybe the
 libraries don't ever expect one like that). You might try setting the alt-
 name to "localhost", and see if that affects anything.

 To be honest I haven't paid close attention to what our CLI tools do with
 TLS, because I always run them against 127.0.0.1, which doesn't need
 transport-level security. (if you were running the client/gateway on a
 remote system, TLS would be critical, of course).

 We might want to consider rewriting out CLI tools in terms of the
 `requests` library, which is generally considered to be the modern way to
 do HTTP. I don't know how `requests` does TLS verification, but I'd want
 to do whatever they do.

 But yes, I suspect that setting your `node.url` to something which the TLS
 client is willing to verify is the easiest fix, if setting alt-name to
 "localhost" doesn't work.

--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/2791#comment:1>
Tahoe-LAFS <https://Tahoe-LAFS.org>
secure decentralized storage

More information about the tahoe-lafs-trac-stream mailing list