Package: python3-sleekxmpp Version: 1.3.1-6 Severity: normal Dear Maintainer,
I have been using painintheapt on several systems running jessie, jessie-backports, and stretch. For quite some time the hosts running jessie-backports and stretch have been failing to execute painintheapt, in fact there's an infinite loop. Today I decided to investigate the problem and discovered a bug in sleekxmpp. I tweaked a copy of the painintheapt script to enable debug logging which produced the following output, with reconnection attempts repeated indefinitely: DEBUG Waiting 2.072999311351683 seconds before connecting. DEBUG DNS: Querying SRV records for unzane.com DEBUG DNS: Querying jabber.unzane.com for AAAA records. DEBUG DNS: Querying jabber.unzane.com for A records. DEBUG Connecting to [2001:470:e861:4::2]:5222 DEBUG Event triggered: connected DEBUG ==== TRANSITION disconnected -> connected DEBUG Starting HANDLER THREAD DEBUG Loading event runner DEBUG SEND (IMMED): <stream:stream to='unzane.com' xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' xml:lang='en' version='1.0'> DEBUG RECV: <stream:stream id="15762184421087048225" version="1.0" from="unzane.com" xml:lang="en"> DEBUG RECV: <stream:features xmlns="http://etherx.jabber.org/streams"><c xmlns="http://jabber.org/protocol/caps" node="http://www.process-one.net/en/ejabberd/" hash="sha-1" ver="N+nCub6oxVjIxxoREHOeJv4wQNU=" /><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required /></starttls><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression></stream:features> DEBUG SEND (IMMED): <starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required /></starttls> DEBUG RECV: <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls" /> DEBUG Starting TLS INFO Negotiating TLS INFO Using SSL version: TLSv1 DEBUG CERT: -----BEGIN CERTIFICATE----- MIIGdjCCBF6gAwIBAgIEALIrzTANBgkqhkiG9w0BAQsFADBdMTgwNgYDVQQDEy9V bnphbmUgSW50ZXJtZWRpYXRlIENlcnRpZmljYXRlIEF1dGhvcml0eSAoUlNBKTEh MB8GA1UECgwY8J+GhPCfhb3wn4aJ8J+FsPCfhb3wn4W0MCIYDzIwMTQwNDA3MTcy NzAwWhgPMjAzODAxMTkwMzE0MDdaMCIxIDAeBgNVBAMTF255YXJsYXRob3RlcC51 bnphbmUuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo/IzfzDD EHc1NO/EzOGT8+l8Uqiu2ZLt89gohrxgohijWRFLJCJHoD8Q9NgVhYRXPQMzWxC1 hzZfps8UDGUeDfgfEbW2NdvXRElSUexgcb4pqIJlQEUQ7qe22mETMqYwu7jSgswz Rg7LQqbNRQRKYQRbAezhGe/reHm8mhKoV6guz7XPBHGxJMvWxgiwfNXFZJ3tlp7W Qu0zz/f/CZKS+Y5QqfAcwyfbnD/jV4ekixi/utt77Qq3AhxbZmW6TuoKuGiD9JBA +51XFbI3Xkf5yokfZaj7cVGes+ntZMNmDOXyuHnf1zsUYfDentWqwclMdjPO6hu4 oagzy245PlsAiRgdFqrngrimTmKn+Ab/uaMq/y+XU5e1wnBP1WgWynFmfIw3fXhI gRjrrnM2tcLshS0Tmwf8NAUivKS+yf5wEdFdXmAWwjaOqIm4Co7PxCb722X4MaR4 0y9whFDVFl87wv2C21n0yPRqnsk6CViSA1NqFk7IEiYF/VrQRZ5wtZor4ImzLyNM gfaI7WrkbnRn5isSZZn3CIKkSelcVADPAq0XuLqAcY4pr3ttt3DJd9bgYRsKq9ZQ f408fRlLmVbxYh2sl15p8uowClHTxng7wnuMt+kCVL8TACXiohnF7TrvOL+/5zjz jzgCgC8NfHnhnCyY/jlOOqnOewS44Dx7o4UCAwEAAaOCAXMwggFvMAwGA1UdEwEB /wQCMAAwJwYDVR0lBCAwHgYIKwYBBQUHAwIGCCsGAQUFBwMBBggrBgEFBQcDETCB owYDVR0RBIGbMIGYghdueWFybGF0aG90ZXAudW56YW5lLmNvbYIKdW56YW5lLmNv bYIRamFiYmVyLnVuemFuZS5jb22CEyouamFiYmVyLnVuemFuZS5jb22CEHdlYXZl LnVuemFuZS5jb22CD3NvZ28udW56YW5lLmNvbYITZnVuYW1ib2wudW56YW5lLmNv bYIRbXVtYmxlLnVuemFuZS5jb20wDwYDVR0PAQH/BAUDAwegADAdBgNVHQ4EFgQU 2aIsO1Rktllh9KaeS6LqBYp2A+cwHwYDVR0jBBgwFoAUuz3o+9sxu31sw58Q19zU HVuefiUwPwYDVR0fBDgwNjA0oDKgMIYuaHR0cHM6Ly93d3cudW56YW5lLmNvbS94 NTA5L3Jldm9jYXRpb24tcnNhLnBlbTANBgkqhkiG9w0BAQsFAAOCAgEAmGKimuSw xMtIomsygb0U1qoui5h2pkhI5UnPMAFvUm5bMwkSHgrMhyC31P2XI1zA9FovtTxV Olm8RrdPV0wJ/tgfBHLZ6a8DpuEYhD+1llrQ81RowcfQHYsdKs2SHuChe85hJiVz IpZZXDXKsiyKnrvtOPETitWI+KhYcEDChO/kwoL3jG6ffKhjrkNDXO4iuiwTJidN CHNmkKWKwN1ywXmuopt5eD6x/QMPjs45GPL7WU5FtHcdjDHPcWv4xl4yXj/O2HBy RgoshWLdxOisP7Cy+BT6IM9PwqqNF657ke7nsdZr/BA2AdXlcwObGixLqLMcz6On IGR8RfenmcZVBWrZnMOPuv9snJZzPWmbYGl/v0Tk+L72WhJa4/22TnjJWRmq4Daq DLOZYQtsV/FPHM+Q+Je9amR7CXZx/j+s97ZVQEaj5Y6bqgQoTL36L2LtKlUo2tI2 y4FjGiMdI+bqOqfe1TOV6F4NoepDoAtT6DUvH/rdB2GV8MKe8YPaimhJe62L9gzx LkuFv4uPO+qhzP8MN9tbB3F6jyHYJI7d0sn2WFzFIBlbNkaI3oYvxevpugEkLP1t KgeGGXolMxYz8S9rNTr9aSSYjLVsdOsTOMS6h0nvFIF/EhvWOqIDAXkj+v9TIwyH j3shn0Jwh8RgTYLNHNyD36+MO6p5imiVODg= -----END CERTIFICATE----- DEBUG Event triggered: ssl_cert ERROR time data '20140407172700Z' does not match format '%y%m%d%H%M%SZ' Traceback (most recent call last): File "/usr/lib/python3/dist-packages/sleekxmpp/xmlstream/xmlstream.py", line 1492, in _process if not self.__read_xml(): File "/usr/lib/python3/dist-packages/sleekxmpp/xmlstream/xmlstream.py", line 1564, in __read_xml self.__spawn_event(xml) File "/usr/lib/python3/dist-packages/sleekxmpp/xmlstream/xmlstream.py", line 1632, in __spawn_event handler.prerun(stanza_copy) File "/usr/lib/python3/dist-packages/sleekxmpp/xmlstream/handler/callback.py", line 64, in prerun self.run(payload, True) File "/usr/lib/python3/dist-packages/sleekxmpp/xmlstream/handler/callback.py", line 76, in run self._pointer(payload) File "/usr/lib/python3/dist-packages/sleekxmpp/features/feature_starttls/starttls.py", line 64, in _handle_starttls_proceed if self.xmpp.start_tls(): File "/usr/lib/python3/dist-packages/sleekxmpp/xmlstream/xmlstream.py", line 889, in start_tls cert.verify(self._expected_server_name, self._der_cert) File "/usr/lib/python3/dist-packages/sleekxmpp/xmlstream/cert.py", line 141, in verify not_before, not_after = extract_dates(raw_cert) File "/usr/lib/python3/dist-packages/sleekxmpp/xmlstream/cert.py", line 118, in extract_dates not_before = datetime.strptime(not_before, '%y%m%d%H%M%SZ') File "/usr/lib/python3.5/_strptime.py", line 510, in _strptime_datetime tt, fraction = _strptime(data_string, format) File "/usr/lib/python3.5/_strptime.py", line 343, in _strptime (data_string, format)) ValueError: time data '20140407172700Z' does not match format '%y%m%d%H%M%SZ' DEBUG reconnecting... DEBUG Event triggered: session_end DEBUG SEND (IMMED): </stream:stream> INFO Waiting for </stream:stream> from server DEBUG Event triggered: disconnected DEBUG ==== TRANSITION connected -> disconnected DEBUG connecting... DEBUG Waiting 2.238069225097097 seconds before connecting. ... The "ValueError: time data '20140407172700Z' does not match format '%y%m%d%H%M%SZ'" exception shows that sleekxmpp is expecting a two digit year rather than a four digit year. Further inspection of the extract_dates function in xmlstream/cert.py reveals some programming mistakes: def extract_dates(raw_cert): if not HAVE_PYASN1: log.warning("Could not find pyasn1 and pyasn1_modules. " + \ "SSL certificate expiration COULD NOT BE VERIFIED.") return None, None cert = decoder.decode(raw_cert, asn1Spec=Certificate())[0] tbs = cert.getComponentByName('tbsCertificate') validity = tbs.getComponentByName('validity') not_before = validity.getComponentByName('notBefore') ① not_before = str(not_before.getComponent()) not_after = validity.getComponentByName('notAfter') ① not_after = str(not_after.getComponent()) ② if isinstance(not_before, GeneralizedTime): not_before = datetime.strptime(not_before, '%Y%m%d%H%M%SZ') else: ③ not_before = datetime.strptime(not_before, '%y%m%d%H%M%SZ') ② if isinstance(not_after, GeneralizedTime): not_after = datetime.strptime(not_after, '%Y%m%d%H%M%SZ') else: ③ not_after = datetime.strptime(not_after, '%y%m%d%H%M%SZ') return not_before, not_after At ①, the use of str() causes the isinstance() test at ② always be False resulting in strptime() calls at ③ which use %y instead of %Y and throw ValueError. It looks like this was for some compatibility with ancient versions of pyasn1. -- System Information: Debian Release: 9.0 APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'testing'), (50, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages python3-sleekxmpp depends on: ii python3 3.5.3-1 ii python3-dnspython 1.15.0-1 ii python3-pyasn1 0.1.9-2 ii python3-pyasn1-modules 0.0.7-0.1 Versions of packages python3-sleekxmpp recommends: ii python3-dateutil 2.5.3-2 ii python3-gnupg 0.3.9-1 ii python3-socks 1.6.5-1 python3-sleekxmpp suggests no packages. -- no debconf information -- Gerald Turner <gtur...@unzane.com> Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D
signature.asc
Description: PGP signature