AttributeError: 'NoneType' object has no attribute 'ssl_cert' on session start

[themoonisacheese]

Describe the bug
when I launch a TCP session using the GUI (on windows) to a almalinux 8.9 server, i get the following error in the debug console:

2024-03-14 11:05:56,716 upgrading tcp socket: [redacted]:58214 <- [redacted]:14500 to ssl
Exception in thread ssl-upgrade:
Traceback (most recent call last):
  File "C:/msys64/mingw64/lib/python3.11/threading.py", line 1045, in _bootstrap_inner
  File "C:/msys64/mingw64/lib/python3.11/threading.py", line 982, in run
  File "E:/xpra/xpra/client/base/client_base.py", line 778, in ssl_upgrade
  File "E:/xpra/xpra/net/socket_util.py", line 924, in get_ssl_attributes
AttributeError: 'NoneType' object has no attribute 'ssl_cert'

the gui then hangs forever and never informs me it failed.

To Reproduce
Steps to reproduce the behavior:

1. freshly installed server, no config changes.
2. on the client, launch xpra-launcher-debug
3. choose mode: TCP, enter username and server, leave port as default 14500. whether or not a password is provided is irrelevant, press connect.
4. gui hangs forever and must be closed using task manager
5. the debug console shows the info written above.

System Information (please complete the following information):

• Server OS: Almalinux 8.9
• Client OS: Win 10 22h2 19045.4170
• Xpra Server Version: 5.0.7
• Xpra Client Version: 5.0.7 (ZIP)

I also tried running:
.\xpra_cmd.exe start tcp://user@server:14500/ start=xterm
which ended in a similar error:

2024-03-14 11:17:12,183 upgrading tcp socket: [redacted]:58754 <- [redacted]:14500 to ssl
Exception in thread ssl-upgrade:
Traceback (most recent call last):
  File "C:/msys64/mingw64/lib/python3.11/threading.py", line 1045, in _bootstrap_inner
  File "C:/msys64/mingw64/lib/python3.11/threading.py", line 982, in run
  File "E:/xpra/xpra/client/base/client_base.py", line 795, in ssl_upgrade
  File "E:/xpra/xpra/net/socket_util.py", line 1023, in ssl_handshake
xpra.net.socket_util.SSLVerifyFailure: self-signed certificate

[totaam]

If you're connecting to the proxy server, then unless you have changed the configuration, authentication is going to be needed - but this cannot be done safely over TCP, so the client is attempting to upgrade to SSL.
Unfortunately, the SSL certificate is the default self-signed one, so verification failed.
We should definitely handle this better.

[themoonisacheese]

i see. is there a way to invoke xpra that accepts self-signed certs? this is an environment I trust not to be meddled with (if it is, i have considerably bigger problems than xpra).

i have since managed to make it work (it did not work before, but i don't know what i'm doing exactly so it was probably my fault) by doing xpra start --bind-tcp=0.0.0.0:10000 --start=xterm on the server and xpra attach tcp://... on the client.

closing as i have a workaround.

[totaam]

To skip SSL certificate verification: --ssl-server-verify-mode=none.

[totaam]

Looks like I forgot to backport: c819f21, see details in #3313