OpenSSL.SSL.Error certificate verify failed

[spice0xff]

Hi! I try connect to fcm over xmpp with aioxmpp and aiofcm, but get the same error "OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] ".

With aioxmpp:

class FCMPayload(aioxmpp.xso.XSO):
    TAG = ("google:mobile:data", "gcm")
    text = aioxmpp.xso.Text(default=None)


async def main(jid, password, recipient):
    aioxmpp.stanza.Message.fcm_payload = aioxmpp.xso.Child([FCMPayload])

    client = aioxmpp.node.PresenceManagedClient(
        aioxmpp.structs.JID.fromstr(jid),
        aioxmpp.security_layer.tls_with_password_based_authentication(password),
        override_peer=[(FCM_SERVER_URL, FCM_SERVER_PORT, aioxmpp.connector.XMPPOverTLSConnector())],
    )

    payload = FCMPayload()
    payload.text = json.dumps({
        "message_id": str(uuid.uuid4()),
        "to": recipient,
        "data": {
            "test": "test"
        }
    })

    async with aioxmpp.node.UseConnected(client, timeout=datetime.timedelta(seconds=30)) as stream:
        msg = aioxmpp.stanza.Message(type_="normal", id_="")
        msg.fcm_payload = payload
        await stream.send_and_wait_for_sent(msg)


asyncio.get_event_loop().run_until_complete(main(FCM_JID, FCM_API_KEY, RECIPIENT))

i get traceback:

certificate verification failed (by OpenSSL)
Fatal error on tls handshake
protocol: <aioxmpp.protocol.XMLStream object at 0x0000000004AC0A20>
transport: <aioopenssl.STARTTLSTransport object at 0x0000000004AC0D68>
Traceback (most recent call last):
  File "C:\dev\PycharmProjects\aioxmpp_test_py_3.7.2\lib\site-packages\aioopenssl\__init__.py", line 331, in _tls_do_handshake
    self._tls_conn.do_handshake()
  File "C:\dev\PycharmProjects\aioxmpp_test_py_3.7.2\lib\site-packages\OpenSSL\SSL.py", line 1915, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "C:\dev\PycharmProjects\aioxmpp_test_py_3.7.2\lib\site-packages\OpenSSL\SSL.py", line 1647, in _raise_ssl_error
    _raise_current_error()
  File "C:\dev\PycharmProjects\aioxmpp_test_py_3.7.2\lib\site-packages\OpenSSL\_util.py", line 54, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')]
Exception in callback None()
handle: <Handle cancelled>
Traceback (most recent call last):
  File "C:\dev\PycharmProjects\aioxmpp_test_py_3.7.2\lib\site-packages\aioopenssl\__init__.py", line 331, in _tls_do_handshake
    self._tls_conn.do_handshake()
  File "C:\dev\PycharmProjects\aioxmpp_test_py_3.7.2\lib\site-packages\OpenSSL\SSL.py", line 1915, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "C:\dev\PycharmProjects\aioxmpp_test_py_3.7.2\lib\site-packages\OpenSSL\SSL.py", line 1647, in _raise_ssl_error
    _raise_current_error()
  File "C:\dev\PycharmProjects\aioxmpp_test_py_3.7.2\lib\site-packages\OpenSSL\_util.py", line 54, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')]

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\bin\Python37\Lib\asyncio\events.py", line 88, in _run
    self._context.run(self._callback, *self._args)
  File "C:\dev\PycharmProjects\aioxmpp_test_py_3.7.2\lib\site-packages\aioopenssl\__init__.py", line 346, in _tls_do_handshake
    self._waiter.set_exception(exc)
asyncio.base_futures.InvalidStateError: invalid state
connection failed: _force_close() called

with aiofcm:

async def run():
    fcm = FCM(FCM_JID, FCM_API_KEY)
    message = Message(
        device_token=RECIPIENT,
        data={"test": "test"},
        message_id=str(uuid4()),
        time_to_live=3,
        priority=PRIORITY_HIGH,
    )
    await fcm.send_message(message)

loop = asyncio.get_event_loop()
loop.run_until_complete(run())

i get traceback:

Fatal error on tls handshake
protocol: <aioxmpp.protocol.XMLStream object at 0x0000000004ACE630>
transport: <aioopenssl.STARTTLSTransport object at 0x0000000004ACE978>
Traceback (most recent call last):
  File "C:\dev\PycharmProjects\aioxmpp_test_py_3.7.2\lib\site-packages\aioopenssl\__init__.py", line 331, in _tls_do_handshake
    self._tls_conn.do_handshake()
  File "C:\dev\PycharmProjects\aioxmpp_test_py_3.7.2\lib\site-packages\OpenSSL\SSL.py", line 1915, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "C:\dev\PycharmProjects\aioxmpp_test_py_3.7.2\lib\site-packages\OpenSSL\SSL.py", line 1647, in _raise_ssl_error
    _raise_current_error()
  File "C:\dev\PycharmProjects\aioxmpp_test_py_3.7.2\lib\site-packages\OpenSSL\_util.py", line 54, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')]
Exception in callback None()
handle: <Handle cancelled>
Traceback (most recent call last):
  File "C:\dev\PycharmProjects\aioxmpp_test_py_3.7.2\lib\site-packages\aioopenssl\__init__.py", line 331, in _tls_do_handshake
    self._tls_conn.do_handshake()
  File "C:\dev\PycharmProjects\aioxmpp_test_py_3.7.2\lib\site-packages\OpenSSL\SSL.py", line 1915, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "C:\dev\PycharmProjects\aioxmpp_test_py_3.7.2\lib\site-packages\OpenSSL\SSL.py", line 1647, in _raise_ssl_error
    _raise_current_error()
  File "C:\dev\PycharmProjects\aioxmpp_test_py_3.7.2\lib\site-packages\OpenSSL\_util.py", line 54, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')]

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\bin\Python37\Lib\asyncio\events.py", line 88, in _run
    self._context.run(self._callback, *self._args)
  File "C:\dev\PycharmProjects\aioxmpp_test_py_3.7.2\lib\site-packages\aioopenssl\__init__.py", line 346, in _tls_do_handshake
    self._waiter.set_exception(exc)
asyncio.base_futures.InvalidStateError: invalid state

My enviroment is:
windows 7 and debian 8
python 3.7.2
aioopenssl 0.4.1

issue in aiofcm and aioxmpp:
Fatal1ty/aiofcm#6
https://github.com/horazont/aioxmpp/issues/282

[reaperhulk]

On Windows pyOpenSSL doesn't ship with any trust roots (for annoying technical reasons). You'll need to supply your own trust roots. This can most easily be accomplished via certifi where you call certifi.where() and pass that value to load_verify_locations. Since you're not directly consuming pyOpenSSL you'll need to find (or create) an API in the library you're using to let you do this. Good luck!

[spice0xff]

This problem also appears in debian.
I have reproduced this problem in docker image. This can be run:
docker run -it spice0xff/aioxmpp_test python ~/aioxmpp_test/aioxmpp_test.py
Can you try this?

[reaperhulk]

Reopening since we have a method of reproduction in linux.

I can confirm the failure occurs in your debian image, but the failure appears to occur even if I link cryptography against system OpenSSL (You can do this yourself by doing pip install cryptography --no-binary cryptography as long as you have a compiler and libssl-dev installed). In that case it's just using the standard system verification, so any failure suggests that there's an issue with either the actual server certificate (I don't know what cert it is obtaining and I don't have the free time to dig through the layers here) or with the way the OpenSSL context is being created in aioxmpp/aioopenssl.

[facutuesca]

Taking into account @reaperhulk answer:

In that case it's just using the standard system verification, so any failure suggests that there's an issue with either the actual server certificate (I don't know what cert it is obtaining and I don't have the free time to dig through the layers here) or with the way the OpenSSL context is being created in aioxmpp/aioopenssl.

this doesn't look like an issue with PyOpenSSL. Also, since the last activity is from 2019, I suggest we close this one
cc @reaperhulk @mhils