Make verify_fingerprint work with auth_cert
smeso opened this issue · 0 comments
With the latest git version it is not possible to use both auth_cert and verify_fingerprint.
If you try to do that, you will get this error:
Syncing calendar
debug: ====================
[cut]
debug: Sending request...
error: Unknown error occurred for calendar: 'Fingerprint' object has no attribute 'load_cert_chain'
error: Use `-vdebug` to see the full traceback.
[cut]
debug: File "/usr/lib/python3/dist-packages/vdirsyncer/http.py", line 134, in request
debug: ssl_context.load_cert_chain(*cert)
debug: ^^^^^^^^^^^^^^^^^^^^^^^^^^^
When verify_fingerprint is specified, ssl_context is the return value of
Line 83 in d1f93ea
In my understanding, this is the correct way of doing fingerprint pinning using aiohttp, unfortunately the Fingerprint object doesn't have load_cert_chain method.
This is a limitation of aiohttp and there is already an issue that tracks it: aio-libs/aiohttp#3679
Until that issue is resolved, it is possible to make vdirsyncer work by monkey-patching session._connector._make_ssl_context (I can create a PR if this approach is acceptable).
There is a more general security problem when using fingerprint pinning and client certs together in Python: the fingerprint will be checked only after the client cert verification already happened. This problem can't be fixed neither in vdirsyncer nor in aiohttp.