OpenSSL.SSL.Error

[spice0xff]

Hi! I try run example code, and get follow traceback (Python 3.5.6 on windows7 and debian8):

Fatal error on tls handshake
protocol: <aioxmpp.protocol.XMLStream object at 0x2b1a054c0320>
transport: <aioopenssl.STARTTLSTransport object at 0x2b1a054c0860>
Traceback (most recent call last):
  File "/home/dev/.pyenv/versions/aiofcm_test/lib/python3.5/site-packages/aioopenssl/__init__.py", line 331, in _tls_do_handshake
    self._tls_conn.do_handshake()
  File "/home/dev/.pyenv/versions/aiofcm_test/lib/python3.5/site-packages/OpenSSL/SSL.py", line 1915, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "/home/dev/.pyenv/versions/aiofcm_test/lib/python3.5/site-packages/OpenSSL/SSL.py", line 1647, in _raise_ssl_error
    _raise_current_error()
  File "/home/dev/.pyenv/versions/aiofcm_test/lib/python3.5/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')]
Exception in callback <bound method STARTTLSTransport._tls_do_handshake of <aioopenssl.STARTTLSTransport object at 0x2b1a054c0860>>
handle: <Handle cancelled>
Traceback (most recent call last):
  File "/home/dev/.pyenv/versions/aiofcm_test/lib/python3.5/site-packages/aioopenssl/__init__.py", line 331, in _tls_do_handshake
    self._tls_conn.do_handshake()
  File "/home/dev/.pyenv/versions/aiofcm_test/lib/python3.5/site-packages/OpenSSL/SSL.py", line 1915, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "/home/dev/.pyenv/versions/aiofcm_test/lib/python3.5/site-packages/OpenSSL/SSL.py", line 1647, in _raise_ssl_error
    _raise_current_error()
  File "/home/dev/.pyenv/versions/aiofcm_test/lib/python3.5/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')]

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "uvloop/cbhandles.pyx", line 66, in uvloop.loop.Handle._run
  File "/home/dev/.pyenv/versions/aiofcm_test/lib/python3.5/site-packages/aioopenssl/__init__.py", line 346, in _tls_do_handshake
    self._waiter.set_exception(exc)
  File "/home/dev/.pyenv/versions/3.5.6/lib/python3.5/asyncio/futures.py", line 361, in set_exception
    raise InvalidStateError('{}: {!r}'.format(self._state, self))
asyncio.futures.InvalidStateError: FINISHED: <Future finished exception=ConnectionError('_force_close() called',)>

[Fatal1ty]

I see you created the related issue https://github.com/horazont/aioxmpp/issues/282
Hope, it will help. We need to figure out what the problem is.

[kobzar]

The same issue on osX python 3.7
It's not os platform mistake.
Someone have solution?

[rosenbrockc]

For the record, I managed to get this working by:

from aiofcm.connection import FCMXMPPConnection, FCMConnectionPool, logger
from aiofcm import FCM, Message, PRIORITY_HIGH

import aioxmpp
import certifi

def certifi_factory():
    """Creates a SSL context using the root CA certificates that ship with :mod:`certifi`.
    """
    ctx = aioxmpp.security_layer.default_ssl_context()
    ctx.load_verify_locations(certifi.where())
    return ctx


class CertifiConnection(FCMXMPPConnection):
    def _create_client(self, sender_id, api_key, loop=None) -> aioxmpp.Client:
        """Overrides the default :meth:`_create_client so that a custom certificate location
        can be specified for the root CA certificates.
        """
        xmpp_client = aioxmpp.Client(
            local_jid=aioxmpp.JID.fromstr('%s@gcm.googleapis.com' % sender_id),
            security_layer=aioxmpp.make_security_layer(api_key)._replace(
                ssl_context_factory=certifi_factory,
            ),
            override_peer=[
                (self.FCM_HOST, self.FCM_PORT,
                 aioxmpp.connector.XMPPOverTLSConnector())
            ],
            loop=loop
        )
        xmpp_client.on_stream_established.connect(
            lambda: self._wait_connection.set_result(True)
        )
        xmpp_client.on_stream_destroyed.connect(
            self._on_stream_destroyed
        )
        xmpp_client.on_failure.connect(
            lambda exc: self._wait_connection.set_exception(exc)
        )
        xmpp_client.stream.register_message_callback(
            type_=aioxmpp.MessageType.NORMAL,
            from_=None,
            cb=self.on_response
        )
        return xmpp_client


class CertifiConnectionPool(FCMConnectionPool):
    async def connect(self) -> CertifiConnection:
        connection = CertifiConnection(
            sender_id=self.sender_id,
            api_key=self.api_key,
            loop=self.loop,
        )
        await connection.connect()
        logger.info('Connection established (total: %d)',
                    len(self.connections) + 1)
        return connection
    
class CertifiFCM(FCM):
    def __init__(self, sender_id, api_key, max_connections=10, loop=None):
        # type: (int, str, int, Optional[asyncio.AbstractEventLoop]) -> NoReturn
        self.pool = CertifiConnectionPool(sender_id, api_key, max_connections, loop)

This was combining some of the suggestions from related issues. I don't have time to put together a pull request, figure out the testing strategy, etc. But, perhaps @Fatal1ty could bring this in as a keyword argument to the FCM client (i.e., certifi=False default, but when True, it uses this context factory).

[Fatal1ty]

Thank you @rosenbrockc. I will look into it when I have time.