Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Better error reporting for failed TLS server cert verification
See original GitHub issueHey ya’ll,
This code works fine when I connect to localhost with ws://, but it fails when I try to use it with wss:// and a production server with a valid certificate. Specifically, my TLS certificate seems to get rejected (CA unknown) despite being valid. I’ve posted wireshark logs and a minimum reproduction below.
Here is the minimum reproduction:
from autobahn.twisted.wamp import Session
from autobahn.twisted.wamp import ApplicationRunner
from twisted.internet import reactor
def onClose(wasClean, code=None, reason=None):
print(reason)
def create_disconnect_monkeypatch():
"""https://github.com/crossbario/autobahn-python/issues/559"""
def connect_success(proto):
orig_on_close = proto.onClose
def fake_on_close(*args, **kwargs):
if proto._session is None:
onClose(*args, **kwargs)
else:
orig_on_close(*args, **kwargs)
proto.onClose = fake_on_close
return connect_success
class Test(Session):
def onJoin(self, *args, **kwargs):
print("Joined!")
application_runner = ApplicationRunner(
url="wss://hyperdash.io/api/v1/sdk",
realm="hyperdash.sdk",
)
application_runner_deferred = application_runner.run(
Test,
start_reactor=False,
auto_reconnect=False,
)
application_runner_deferred.addCallback(
create_disconnect_monkeypatch(),
)
reactor.run()
This generates logs like this:
(env)richie$ python repo.py
connection was closed uncleanly (peer dropped the TCP connection without previous WebSocket closing handshake)
Executing pip freeze shows these dependencies:
asn1crypto==0.22.0
attrs==17.2.0
autobahn==17.6.2
Automat==0.6.0
cffi==1.10.0
constantly==15.1.0
cryptography==1.9
enum34==1.1.6
hyperlink==17.2.1
idna==2.5
incremental==17.5.0
ipaddress==1.0.18
pyasn1==0.2.3
pyasn1-modules==0.0.9
pycparser==2.17
pyOpenSSL==17.1.0
service-identity==17.0.0
six==1.10.0
Twisted==17.5.0
txaio==2.8.0
zope.interface==4.4.2
python --version
Python 2.7.10
openssl version
OpenSSL 1.0.2l 25 May 2017
which openssl
/Users/richie/anaconda3/bin/openssl
In a python REPL:
>>> import ssl
>>> ssl.OPENSSL_VERSION
'OpenSSL 0.9.8zh 14 Jan 2016'
I thought maybe it was related to an old version of openssl, but when I run the code using Conda which has a newer version:
conda REPL:
>>> import ssl
>>> ssl.OPENSSL_VERSION
'OpenSSL 1.0.2l 25 May 2017'
I still get the same error.
Any thoughts? The wireshark logs seem to indicate that thats a TLS issue (specifically, the CA unknown error), however, I’m pretty sure our certificate is fine:
openssl s_client -showcerts -connect hyperdash.io:443
CONNECTED(00000003)
depth=4 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
verify return:1
depth=3 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
verify return:1
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
verify return:1
depth=0 CN = hyperdash.io
verify return:1
---
Certificate chain
0 s:/CN=hyperdash.io
i:/C=US/O=Amazon/OU=Server CA 1B/CN=Amazon
-----BEGIN CERTIFICATE-----
MIIEXDCCA0SgAwIBAgIQDvBr0vUpu8dU1eUBRrZR8DANBgkqhkiG9w0BAQsFADBG
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRUwEwYDVQQLEwxTZXJ2ZXIg
Q0EgMUIxDzANBgNVBAMTBkFtYXpvbjAeFw0xNzA2MTEwMDAwMDBaFw0xODA3MTEx
MjAwMDBaMBcxFTATBgNVBAMTDGh5cGVyZGFzaC5pbzCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMhG4HC0G38/+saEd9YjKxwxBwypUw7FF+MiJoYsPC4z
AhwdMRMmG+JYM8DM1oHz5zD6+AyrnvgZu+zr89lAD/ZpYW8oFUpKQm19mZ0JPRkz
P4qeUawpPJeGlrVbSTXOV7cO5VydGH4eVBvOiUacwpmezKMXvyZN3kdhrsDqX+NY
MUQHmtaONtadBJ/ucTU82TJtA7MkfStNlEY29ZCNFfslSRdGIQFJSnllhWmrcvGE
PM4ilRe3Tr8RuMZ74i9WghUL7FeFYV4k/nLLfhhzHMucMz5JtvSG/13G3ILAlLIY
yHJQ7cMVSakJuVAiEvFkY7xqauVB35xdM3B60LrK3kkCAwEAAaOCAXMwggFvMB8G
A1UdIwQYMBaAFFmkZgZSoHuVkjyjlAcnlnRb+T3QMB0GA1UdDgQWBBRS/0F75pzx
U42JooLskwpeS1BrHTAnBgNVHREEIDAeggxoeXBlcmRhc2guaW+CDiouaHlwZXJk
YXNoLmlvMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwOwYDVR0fBDQwMjAwoC6gLIYqaHR0cDovL2NybC5zY2ExYi5hbWF6b250
cnVzdC5jb20vc2NhMWIuY3JsMBMGA1UdIAQMMAowCAYGZ4EMAQIBMHUGCCsGAQUF
BwEBBGkwZzAtBggrBgEFBQcwAYYhaHR0cDovL29jc3Auc2NhMWIuYW1hem9udHJ1
c3QuY29tMDYGCCsGAQUFBzAChipodHRwOi8vY3J0LnNjYTFiLmFtYXpvbnRydXN0
LmNvbS9zY2ExYi5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEA
fwJ+IZX3RZEr0Li6zAJrJn2NS5DsNP0WvArljtnKhx4zDMwIZ8MCde1mponuSrZk
JQ3L0CqYBRCVPSHzbQZeMYnrpVHC0gwLwpJUKKe85wQCZLkFARL5nxEjnwqMokJG
r2tssSJ1CMmgiTI19KWmZsuGIORt9oHAJpzXZins7TpcMfpKYxmrS+VfbUZCMXhF
0eLmEiLyTCxQtavlyGyI/0A0y/AVb2higpax4082cRnQpY0fQgMo9zdi0mfsMIx8
fZv+hkjZpJz1w5w5HtKJtIYVt60W/UxP6VHB1vahoL+WCDkbB6x4Y7ns+nJoboGI
v1l/QyWbxuoZ2qPy1fF/5w==
-----END CERTIFICATE-----
1 s:/C=US/O=Amazon/OU=Server CA 1B/CN=Amazon
i:/C=US/O=Amazon/CN=Amazon Root CA 1
-----BEGIN CERTIFICATE-----
MIIESTCCAzGgAwIBAgITBn+UV4WH6Kx33rJTMlu8mYtWDTANBgkqhkiG9w0BAQsF
ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
b24gUm9vdCBDQSAxMB4XDTE1MTAyMjAwMDAwMFoXDTI1MTAxOTAwMDAwMFowRjEL
MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEVMBMGA1UECxMMU2VydmVyIENB
IDFCMQ8wDQYDVQQDEwZBbWF6b24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDCThZn3c68asg3Wuw6MLAd5tES6BIoSMzoKcG5blPVo+sDORrMd4f2AbnZ
cMzPa43j4wNxhplty6aUKk4T1qe9BOwKFjwK6zmxxLVYo7bHViXsPlJ6qOMpFge5
blDP+18x+B26A0piiQOuPkfyDyeR4xQghfj66Yo19V+emU3nazfvpFA+ROz6WoVm
B5x+F2pV8xeKNR7u6azDdU5YVX1TawprmxRC1+WsAYmz6qP+z8ArDITC2FMVy2fw
0IjKOtEXc/VfmtTFch5+AfGYMGMqqvJ6LcXiAhqG5TI+Dr0RtM88k+8XUBCeQ8IG
KuANaL7TiItKZYxK1MMuTJtV9IblAgMBAAGjggE7MIIBNzASBgNVHRMBAf8ECDAG
AQH/AgEAMA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUWaRmBlKge5WSPKOUByeW
dFv5PdAwHwYDVR0jBBgwFoAUhBjMhTTsvAyUlC4IWZzHshBOCggwewYIKwYBBQUH
AQEEbzBtMC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5yb290Y2ExLmFtYXpvbnRy
dXN0LmNvbTA6BggrBgEFBQcwAoYuaHR0cDovL2NydC5yb290Y2ExLmFtYXpvbnRy
dXN0LmNvbS9yb290Y2ExLmNlcjA/BgNVHR8EODA2MDSgMqAwhi5odHRwOi8vY3Js
LnJvb3RjYTEuYW1hem9udHJ1c3QuY29tL3Jvb3RjYTEuY3JsMBMGA1UdIAQMMAow
CAYGZ4EMAQIBMA0GCSqGSIb3DQEBCwUAA4IBAQCFkr41u3nPo4FCHOTjY3NTOVI1
59Gt/a6ZiqyJEi+752+a1U5y6iAwYfmXss2lJwJFqMp2PphKg5625kXg8kP2CN5t
6G7bMQcT8C8xDZNtYTd7WPD8UZiRKAJPBXa30/AbwuZe0GaFEQ8ugcYQgSn+IGBI
8/LwhBNTZTUVEWuCUUBVV18YtbAiPq3yXqMB48Oz+ctBWuZSkbvkNodPLamkB2g1
upRyzQ7qDn1X8nn8N8V7YJ6y68AtkHcNSRAnpTitxBKjtKPISLMVCx7i4hncxHZS
yLyKQXhw2W2Xs0qLeC1etA+jTGDK4UfLeC0SF7FSi8o5LL21L8IzApar2pR/
-----END CERTIFICATE-----
2 s:/C=US/O=Amazon/CN=Amazon Root CA 1
i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgITBn+USionzfP6wq4rAfkI7rnExjANBgkqhkiG9w0BAQsF
ADCBmDELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNj
b3R0c2RhbGUxJTAjBgNVBAoTHFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4x
OzA5BgNVBAMTMlN0YXJmaWVsZCBTZXJ2aWNlcyBSb290IENlcnRpZmljYXRlIEF1
dGhvcml0eSAtIEcyMB4XDTE1MDUyNTEyMDAwMFoXDTM3MTIzMTAxMDAwMFowOTEL
MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv
b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj
ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM
9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw
IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6
VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L
93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm
jgSubJrIqg0CAwEAAaOCATEwggEtMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/
BAQDAgGGMB0GA1UdDgQWBBSEGMyFNOy8DJSULghZnMeyEE4KCDAfBgNVHSMEGDAW
gBScXwDfqgHXMCs4iKK4bUqc8hGRgzB4BggrBgEFBQcBAQRsMGowLgYIKwYBBQUH
MAGGImh0dHA6Ly9vY3NwLnJvb3RnMi5hbWF6b250cnVzdC5jb20wOAYIKwYBBQUH
MAKGLGh0dHA6Ly9jcnQucm9vdGcyLmFtYXpvbnRydXN0LmNvbS9yb290ZzIuY2Vy
MD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly9jcmwucm9vdGcyLmFtYXpvbnRydXN0
LmNvbS9yb290ZzIuY3JsMBEGA1UdIAQKMAgwBgYEVR0gADANBgkqhkiG9w0BAQsF
AAOCAQEAYjdCXLwQtT6LLOkMm2xF4gcAevnFWAu5CIw+7bMlPLVvUOTNNWqnkzSW
MiGpSESrnO09tKpzbeR/FoCJbM8oAxiDR3mjEH4wW6w7sGDgd9QIpuEdfF7Au/ma
eyKdpwAJfqxGF4PcnCZXmTA5YpaP7dreqsXMGz7KQ2hsVxa81Q4gLv7/wmpdLqBK
bRRYh5TmOTFffHPLkIhqhBGWJ6bt2YFGpn6jcgAKUj6DiAdjd4lpFw85hdKrCEVN
0FE6/V1dN2RMfjCyVSRCnTawXZwXgWHxyvkQAiSr6w10kY17RSlQOYiypok1JR4U
akcjMS9cmvqtmg5iUaQqqcT5NJ0hGA==
-----END CERTIFICATE-----
3 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2
i:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
-----BEGIN CERTIFICATE-----
MIIEdTCCA12gAwIBAgIJAKcOSkw0grd/MA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV
BAYTAlVTMSUwIwYDVQQKExxTdGFyZmllbGQgVGVjaG5vbG9naWVzLCBJbmMuMTIw
MAYDVQQLEylTdGFyZmllbGQgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0
eTAeFw0wOTA5MDIwMDAwMDBaFw0zNDA2MjgxNzM5MTZaMIGYMQswCQYDVQQGEwJV
UzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTElMCMGA1UE
ChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjE7MDkGA1UEAxMyU3RhcmZp
ZWxkIFNlcnZpY2VzIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVDDrEKvlO4vW+GZdfjohTsR8/
y8+fIBNtKTrID30892t2OGPZNmCom15cAICyL1l/9of5JUOG52kbUpqQ4XHj2C0N
Tm/2yEnZtvMaVq4rtnQU68/7JuMauh2WLmo7WJSJR1b/JaCTcFOD2oR0FMNnngRo
Ot+OQFodSk7PQ5E751bWAHDLUu57fa4657wx+UX2wmDPE1kCK4DMNEffud6QZW0C
zyyRpqbn3oUYSXxmTqM6bam17jQuug0DuDPfR+uxa40l2ZvOgdFFRjKWcIfeAg5J
Q4W2bHO7ZOphQazJ1FTfhy/HIrImzJ9ZVGif/L4qL8RVHHVAYBeFAlU5i38FAgMB
AAGjgfAwge0wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0O
BBYEFJxfAN+qAdcwKziIorhtSpzyEZGDMB8GA1UdIwQYMBaAFL9ft9HO3R+G9FtV
rNzXEMIOqYjnME8GCCsGAQUFBwEBBEMwQTAcBggrBgEFBQcwAYYQaHR0cDovL28u
c3MyLnVzLzAhBggrBgEFBQcwAoYVaHR0cDovL3guc3MyLnVzL3guY2VyMCYGA1Ud
HwQfMB0wG6AZoBeGFWh0dHA6Ly9zLnNzMi51cy9yLmNybDARBgNVHSAECjAIMAYG
BFUdIAAwDQYJKoZIhvcNAQELBQADggEBACMd44pXyn3pF3lM8R5V/cxTbj5HD9/G
VfKyBDbtgB9TxF00KGu+x1X8Z+rLP3+QsjPNG1gQggL4+C/1E2DUBc7xgQjB3ad1
l08YuW3e95ORCLp+QCztweq7dp4zBncdDQh/U90bZKuCJ/Fp1U1ervShw3WnWEQt
8jxwmKy6abaVd38PMV4s/KCHOkdp8Hlf9BRUpJVeEXgSYCfOn8J3/yNTd126/+pZ
59vPr5KW7ySaNRB6nJHGDn2Z9j8Z3/VyVOEVqQdZe4O/Ui5GjLIAZHYcSNPYeehu
VsyuLAOQ1xk4meTKCRlb/weWsKh/NEnfVqn3sF/tM+2MR7cwA130A4w=
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=hyperdash.io
issuer=/C=US/O=Amazon/OU=Server CA 1B/CN=Amazon
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5219 bytes and written 433 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 928185310E190E60D629529C83C1E476ECD1EEB8EDA96B25ACA82D2F7599C104
Session-ID-ctx:
Master-Key: BA5456ED1379C7D991D8955499C614F78FE36D75D4156D55112837D9EC030F776488C3ED6F722A65A6C1CE0D165B411D
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 43200 (seconds)
TLS session ticket:
0000 - bd cb 52 c0 db 80 ea a1-15 4b a0 fd b1 a8 91 4e ..R......K.....N
0010 - a3 98 e1 2f 36 b1 6e a6-d9 26 99 00 26 ed 79 1a .../6.n..&..&.y.
0020 - 9e 43 4c 77 b2 6e 7b 66-57 eb a6 22 da 13 2a 8c .CLw.n{fW.."..*.
0030 - b1 ee 62 0e e5 9c f9 e7-60 f5 2c f3 ac 36 71 4f ..b.....`.,..6qO
0040 - d7 1e 3c cf 56 40 5b e7-6f fe da c7 bb 49 96 4c ..<.V@[.o....I.L
0050 - 3d 54 ba f4 60 86 9b 50-7c c1 b6 90 fc 26 b5 49 =T..`..P|....&.I
0060 - 18 98 fa 5e 72 1d 29 c1-22 1b 5d 36 92 0d 46 86 ...^r.).".]6..F.
0070 - d9 dd a4 63 26 d8 29 6e-7f 8b 85 cf 40 3b 07 ea ...c&.)n....@;..
0080 - 8c da d0 49 93 3b c7 4a-2a 10 c3 96 53 d2 24 fe ...I.;.J*...S.$.
0090 - 32 ab 7f bf 26 1d e2 7d-8c 0b 6d cb c8 05 3b 42 2...&..}..m...;B
00a0 - c1 cd 4b e7 c0 d9 8a e4-07 de e4 78 5c 7c c2 e3 ..K........x\|..
Start Time: 1499200369
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Issue Analytics
- State:
- Created 6 years ago
- Comments:34 (33 by maintainers)
Top Results From Across the Web
Rehash: How to Fix the SSL/TLS Handshake Failed Error
The TLS Handshake Failed error can originate from the client or the server, here's a guide for fixing the problem for both users...
Read more >How to Fix the SSL/TLS Handshake Failed Error - SSL2BUY
An Overview of SSL/TLS Handshake Failed Errors ; Incorrect Certificate · Error in the actual URL hostname and hostname stated on the server...
Read more >TLS certificate verification failed - Newshosting
If your connections began receiving with "TLS certificate verification failed" errors around this time please follow the steps below for ...
Read more >A Simple Explanation of SSL Certificate Errors & How to Fix ...
an improperly formatted SSL certificate that the browser cannot parse. · a certificate that is not properly installed on the server. · a...
Read more >Common SSL Certificate Errors and How to Fix Them
You should generate a new private key and CSR on your server and re-submit the new CSR. The reason SSL/TLS certificates have a...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
I think snaps are really promising. Also because it takes OS updates into account (an Ubuntu Core system completely consists of snap … including kernel and OS userland).
snaps also run on most Linux distros these days
https://snapcraft.io/docs/core/install
However, the isolation only works with Ubuntu AppArmor enabled kernels currently (as far as I understand, not all Ubuntu AppArmor kernel mods are upstreamed yet).
Crossbar.io is currently available as a snap for x86-64 and armhf - aarch64 doesn’t work yet in snapcraft.
I understand the benefits of alternative packaging methods, but unfortunately I’m writing a pip installable library, not a stand-alone executable