#2791 new defect

Tahoe CLI / SSL certificate — at Version 1

Reported by: cedric Owned by:
Priority: normal Milestone: undecided
Component: code-frontend-cli Version: 1.11.0
Keywords: Cc:
Launchpad Bug:

Description (last modified by warner)

Hi,

I'm running a small grid with few nodes. I use Web API through HTTPS with self signed certificates/Internal CA I'm dealing with some troubles when i call tahoe cli (eg: tahoe create-alias....).

"tahoe create-alias test" return error:

Traceback (most recent call last):
  File "/venv/local/lib/python2.7/site-packages/allmydata/scripts/runner.py", line 162, in run
    rc = runner(sys.argv[1:], install_node_control=install_node_control)
  File "/venv/local/lib/python2.7/site-packages/allmydata/scripts/runner.py", line 147, in runner
    rc = cli.dispatch[command](so)
  File "/venv/local/lib/python2.7/site-packages/allmydata/scripts/cli.py", line 486, in create_alias
    rc = tahoe_add_alias.create_alias(options)
  File "/venv/local/lib/python2.7/site-packages/allmydata/scripts/tahoe_add_alias.py", line 85, in create_alias
    resp = do_http("POST", url)
  File "/venv/local/lib/python2.7/site-packages/allmydata/scripts/common_http.py", line 70, in do_http
    c.endheaders()
  File "/usr/lib/python2.7/httplib.py", line 997, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 850, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 812, in send
    self.connect()
  File "/usr/lib/python2.7/httplib.py", line 1212, in connect
    server_hostname=server_hostname)
  File "/usr/lib/python2.7/ssl.py", line 350, in wrap_socket
    _context=self)
  File "/usr/lib/python2.7/ssl.py", line 566, in __init__
    self.do_handshake()
  File "/usr/lib/python2.7/ssl.py", line 796, in do_handshake
    match_hostname(self.getpeercert(), self.server_hostname)
  File "/usr/lib/python2.7/ssl.py", line 273, in match_hostname
    % (hostname, dnsnames[0]))
CertificateError: hostname '127.0.0.1' doesn't match u'Myhostname'

SSL certificate has CN=Myhostname and an alternative name IP.1=127.0.0.1. CA certificate is available in /etc/ssl/certs/ and c_rehash done.

openssl s_client -connect 127.0.0.1:3456 -CApath /etc/ssl/certs/ return "Ok".

It seem that ssl.py is only try to verify CN == hostname, there is no verification on alternative name.

The only way i've found to get tahoe cli working is to change node.url by replacing https://127.0.0.1:3456 by https://Myhostname:3456

I missed something?

Thanks for your help and thanks for the great job on Tahoe-LAFS!

Change History (1)

comment:1 Changed at 2016-07-03T18:27:46Z by warner

  • Component changed from unknown to code-frontend-cli
  • Description modified (diff)

Hm, it might be that it isn't paying attention to the "alternative name", or maybe it's just unwilling to accept numeric IP addresses at all (or maybe just 127.0.0.1 .. no CA would issue one like that, so maybe the libraries don't ever expect one like that). You might try setting the alt-name to "localhost", and see if that affects anything.

To be honest I haven't paid close attention to what our CLI tools do with TLS, because I always run them against 127.0.0.1, which doesn't need transport-level security. (if you were running the client/gateway on a remote system, TLS would be critical, of course).

We might want to consider rewriting out CLI tools in terms of the requests library, which is generally considered to be the modern way to do HTTP. I don't know how requests does TLS verification, but I'd want to do whatever they do.

But yes, I suspect that setting your node.url to something which the TLS client is willing to verify is the easiest fix, if setting alt-name to "localhost" doesn't work.

Note: See TracTickets for help on using tickets.