AaronFiore/electrum
1
0
Fork 0
Code Activity
Files
02a9ab80be819468352f773bd7120421868d38f0
electrum/electrum
History
SomberNight 02a9ab80be interface: nicer error for CA-signed "Hostname mismatch" certs 
Previously when encountering a CA-signed cert that failed verification with "Hostname mismatch",
we would
1. erroneously mark it as self-signed
2. save its cert to pin it
3. when connecting to it later, and being served a CA-signed cert, we would reject the connection
  - I think this is because we use the saved cert (the peer cert, just the last cert in the chain) as if it was a root CA,
    and then during the connection we try to verify against that root. This fails as we are served a different root then.
Error logged in step(3):
```
  3.85 | W | i/interface.[wirg2tsto7rme7n26lkd3ivbvxmjyy2pktlozwjuep22jcsfsghfqbqd.onion:50002] | Cannot connect to main server due to SSL error (maybe cert changed compared to "/home/user/.electrum/testnet/certs/wirg2tsto7rme7n26lkd3ivbvxmjyy2pktlozwjuep22jcsfsghfqbqd.onion"). Exc: ConnectError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)'))
```

This commit fixes step(1), we won't mark the cert as self-signed, instead the error is propagated out and the connection closed.
```
 35.05 | I | i/interface.[wirg2tsto7rme7n26lkd3ivbvxmjyy2pktlozwjuep22jcsfsghfqbqd.onion:50002] | disconnecting due to: ErrorGettingSSLCertFromServer(ConnectError(SSLCertVerificationError(1, "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'wirg2tsto7rme7n26lkd3ivbvxmjyy2pktlozwjuep22jcsfsghfqbqd.onion'. (_ssl.c:1007)")))
```

Compare:
- SSLCertVerificationError(1, "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'wirg2tsto7rme7n26lkd3ivbvxmjyy2pktlozwjuep22jcsfsghfqbqd.onion'. (_ssl.c:1007)")
  - verify_code=62
- SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1007)')
  - verify_code=18

Note: the verify_code constants look stable, though they might be openssl-specific. I guess that's ok(?)
140540189c/include/openssl/x509_vfy.h.in (L224)
2024-06-07 14:56:03 +00:00
..
_vendor
dependencies: vendor "pyperclip" pkg, used by text gui
2024-01-24 00:14:30 +00:00
gui
Merge pull request #9076 from SomberNight/202405_android_config_pin
2024-05-31 11:14:50 +02:00
lnwire
peer_wire.csv: remove msgtype gossip_queries options, as the extract-formats.py tool
2024-02-15 16:10:25 +01:00
plugins
rm some legacy cruft for old python versions
2024-06-05 14:55:48 +00:00
qrreader
implement QR code scanning
2022-07-07 18:29:01 +02:00
scripts
chore: fix some typos
2024-05-15 20:41:01 +08:00
utils
stacktracer.py: small fixes and clean-up
2023-08-30 16:57:37 +00:00
wordlist
Fix CRLF issues. (#8026)
2022-10-20 18:43:54 +00:00
__init__.py
rm some legacy cruft for old python versions
2024-06-05 14:55:48 +00:00
address_synchronizer.py
bitcoin.py/transaction.py: API changes: rm most hex usage
2024-04-29 17:10:26 +00:00
base_crash_reporter.py
config: introduce ConfigVars
2023-05-25 17:39:48 +00:00
bip21.py
bip21: trivial follow-up
2024-05-30 13:08:13 +00:00
bip32.py
bitcoin.py/transaction.py: API changes: rm most hex usage
2024-04-29 17:10:26 +00:00
bip39_recovery.py
qt wizard bip39 recovery: better handle --offline mode
2023-12-01 17:37:58 +00:00
bip39_wallet_formats.json
bip39: add likely script vs derivation path mistakes for BIP49 and BIP84 paths (#8615)
2023-09-18 16:52:38 +00:00
bitcoin.py
bitcoin.py/transaction.py: API changes: rm most hex usage
2024-04-29 17:10:26 +00:00
blockchain.py
bitcoin.py/transaction.py: API changes: rm most hex usage
2024-04-29 17:10:26 +00:00
channel_db.py
ecc: refactor/clean-up sign/verify APIs
2024-04-11 15:25:45 +00:00
checkpoints_testnet.json
update block header checkpoints
2024-05-29 14:44:24 +00:00
checkpoints.json
update block header checkpoints
2024-05-29 14:44:24 +00:00
coinchooser.py
send tx change to lightning
2023-09-09 14:14:43 +02:00
commands.py
transaction: tx.sign API change: rm hex usage
2024-04-29 17:10:30 +00:00
constants.py
bitcoin.py/transaction.py: API changes: rm most hex usage
2024-04-29 17:10:26 +00:00
contacts.py
(trivial) contacts: add some type hints
2023-11-01 17:35:45 +00:00
crypto.py
rm some legacy cruft for old python versions
2024-06-05 14:55:48 +00:00
currencies.json
trt removed
2024-03-05 23:30:23 +01:00
daemon.py
daemon error-handling: fix traceback.format_exception() on old python
2024-06-05 14:45:28 +00:00
descriptor.py
(trivial) fix some import orders
2024-06-04 18:29:17 +00:00
dns_hacks.py
network: remove resolver monkey-patch as no local hostname lookups are performed when
2023-11-30 14:27:31 +01:00
dnssec.py
add FIXMEs to instances where we don't use the network proxy
2023-11-30 19:31:14 +00:00
ecc_fast.py
ecc: make libsecp256k1 "schnorrsig" module only required when used
2024-04-12 16:57:51 +00:00
ecc.py
ecc: ecdsa_verify to enforce low-S rule
2024-05-27 17:12:33 +00:00
electrum
exchange_rate.py
follow-up prev
2024-04-17 14:36:21 +00:00
i18n.py
i18n: simplify language default. only translate string if using GUI.
2024-01-16 17:23:43 +00:00
interface.py
interface: nicer error for CA-signed "Hostname mismatch" certs
2024-06-07 14:56:03 +00:00
invoices.py
i18n: translate a few untranslated strings and avoid early translate for pr_tooltips and pr_expiration_values
2023-11-14 12:07:49 +01:00
json_db.py
WalletDB: (trivial) add type hint
2024-02-12 18:26:08 +00:00
keystore.py
transaction: tx.sign API change: rm hex usage
2024-04-29 17:10:30 +00:00
lnaddr.py
dependencies: remove bitstring
2024-04-24 14:14:31 +00:00
lnchannel.py
transaction: tx.sign API change: rm hex usage
2024-04-29 17:10:30 +00:00
lnhtlc.py
util: kill bh2u
2023-02-17 11:43:11 +00:00
lnmsg.py
lnmsg: remove handling of optional fields in msgdata
2023-01-13 16:11:11 +01:00
lnonion.py
trampoline: fix off-by-one confusion of fees
2023-10-27 14:24:19 +00:00
lnpeer.py
swaps: broadcast_transaction error-handling
2024-06-05 19:00:51 +00:00
lnrater.py
Improve _mythread checks (#7403)
2021-07-15 14:52:25 +00:00
lnrouter.py
(trivial) fix some import orders
2024-06-04 18:29:17 +00:00
lnsweep.py
lnsweep: rm one usage of Transaction.get_preimage_script()
2024-05-24 13:40:48 +00:00
lntransport.py
util: kill bh2u
2023-02-17 11:43:11 +00:00
lnurl.py
lnurl: better error messages
2024-06-04 13:42:57 +00:00
lnutil.py
lnsweep: rm one usage of Transaction.get_preimage_script()
2024-05-24 13:40:48 +00:00
lnverifier.py
ecc: refactor/clean-up sign/verify APIs
2024-04-11 15:25:45 +00:00
lnwatcher.py
renames: use consistent naming of cltv delta vs cltv abs
2023-10-19 16:40:05 +00:00
lnworker.py
maybe_cleanup_forwarding: fix crash if payment_key not in self.received_mpp_htlcs
2024-06-05 16:49:33 +02:00
logging.py
fix some DeprecationWarnings in python3.12
2023-12-24 08:57:57 +00:00
mnemonic.py
mnemonic: add comments
2024-01-22 03:27:20 +00:00
mpp_split.py
mpp_split: make SplitConfig a subclass of dict, not just a type-hint
2023-10-27 14:24:12 +00:00
network.py
swaps: broadcast_transaction error-handling
2024-06-05 19:00:51 +00:00
old_mnemonic.py
Minor style changes
2021-03-21 00:36:23 -04:00
payment_identifier.py
bitcoin.py/transaction.py: API changes: rm most hex usage
2024-04-29 17:10:26 +00:00
paymentrequest_pb2.py
re-generate protobuf _pb2.py files and bump min required protobuf
2023-01-28 00:39:36 +00:00
paymentrequest.proto
paymentrequest.py
bitcoin.py/transaction.py: API changes: rm most hex usage
2024-04-29 17:10:26 +00:00
pem.py
flake8: enable more mandatory tests
2022-10-31 16:13:22 +00:00
plot.py
fix plot.py
2024-05-22 15:26:26 +00:00
plugin.py
win/mac build: bump pyinstaller (5.11.0->5.13.2)
2024-04-18 18:16:10 +00:00
plugins.json
move virtualkeyboard plugin to other repo
2024-04-13 11:35:49 +02:00
qrscanner.py
Consistently use translated strings for UserFacingException raises
2024-01-16 16:25:33 +01:00
ripemd.py
fix flake8-bugbear B016
2023-04-24 12:58:26 +00:00
rsakey.py
flake8: enable more mandatory tests
2022-10-31 16:13:22 +00:00
segwit_addr.py
dependencies: remove bitstring
2024-04-24 14:14:31 +00:00
servers_regtest.json
network: add another hardcoded signet server
2023-05-04 15:05:34 +00:00
servers_signet.json
Remove bublina Signet
2024-03-01 11:21:49 +01:00
servers_testnet.json
network: update hardcoded mainnet servers (and testnet)
2022-01-18 19:54:24 +01:00
servers.json
Update @lukechilds server address
2022-11-18 23:13:25 +01:00
simple_config.py
qt settings: expose LIGHTNING_PAYMENT_BUDGET_FEE_MAX_MILLIONTHS
2024-05-08 15:54:20 +00:00
slip39.py
slip39: implement extendable backups
2024-05-20 16:57:11 +02:00
sql_db.py
electrum: fix typos
2023-12-04 14:15:39 +08:00
storage.py
qt wizard: fix offline 2fa wallet creation in some cases
2024-05-28 15:31:37 +00:00
submarine_swaps.py
swaps: broadcast_transaction error-handling
2024-06-05 19:00:51 +00:00
synchronizer.py
addr_sync.receive_tx_callback: rm redundant tx_hash arg
2023-10-24 16:07:30 +00:00
trampoline.py
trampoline: rm hardcoded TRAMPOLINE_FEES. just use exponential search
2024-05-06 18:36:29 +00:00
transaction.py
transaction: tx.sign API change: rm hex usage
2024-04-29 17:10:30 +00:00
util.py
rm some legacy cruft for old python versions
2024-06-05 14:55:48 +00:00
verifier.py
config: introduce ConfigVars
2023-05-25 17:39:48 +00:00
version.py
update release notes for version 4.5.5
2024-05-29 17:05:48 +00:00
wallet_db.py
wallet_db: show electrum version in error dialog
2024-05-30 17:19:23 +02:00
wallet.py
fix plot.py
2024-05-22 15:26:26 +00:00
wizard.py
wizard: log state when view not defined. ref #8815
2024-03-01 10:56:32 +01:00
x509.py
fix some DeprecationWarnings in python3.12
2023-12-24 08:57:57 +00:00