Feature Request - Daphne Intermediate certificate support

[Enzodtz]

Issues are for concrete, actionable bugs and feature requests only - if you're just asking for debugging help or technical support we have to direct you elsewhere. If you just have questions or support requests please use:

• Stack Overflow
• The Django Users mailing list [email protected] (https://groups.google.com/forum/#!forum/django-users)

We have to limit this because of limited volunteer time to respond to issues!

Please also try and include, if you can:

• Your OS and runtime environment, and browser if applicable
• A pip freeze output showing your package versions
• What you expected to happen vs. what actually happened
• How you're running Channels (runserver? daphne/runworker? Nginx/Apache in front?)
• Console logs and full tracebacks of any errors

OS:

Ubuntu 16.04.7 LTS

pip freeze:

appdirs==1.4.4
asgiref==3.3.1
attrs==20.3.0
autobahn==20.12.3
Automat==20.2.0
blinker==1.3
certifi==2020.12.5
cffi==1.14.4
chardet==4.0.0
cloud-init==20.4
command-not-found==0.3
configobj==5.0.6
constantly==15.1.0
cryptography==3.3.1
daphne==3.0.1
distlib==0.3.1
dj-database-url==0.5.0
Django==3.1.5
django-crispy-forms==1.10.0
djangorestframework==3.12.2
djangorestframework-simplejwt==4.6.0
filelock==3.0.12
gunicorn==20.0.4
h2==3.2.0
hpack==3.0.0
hyperframe==5.2.0
hyperlink==21.0.0
idna==2.10
incremental==17.5.0
Jinja2==2.8
jsonpatch==1.10
jsonpointer==1.9
language-selector==0.1
oauthlib==1.0.3
pdfkit==0.6.1
Pillow==8.1.0
priority==1.3.0
psycopg2==2.8.6
pyasn1==0.4.8
pyasn1-modules==0.2.8
pycparser==2.20
pycurl==7.43.0
pygobject==3.20.0
PyHamcrest==2.0.2
PyJWT==2.0.0
pyOpenSSL==20.0.1
pyserial==3.0.1
python-apt==1.1.0b1+ubuntu0.16.4.11
pytz==2020.5
PyYAML==3.11
qrcode==6.1
requests==2.9.1
service-identity==18.1.0
six==1.15.0
sqlparse==0.4.1
Twisted==20.3.0
txaio==20.12.1
ufw==0.35
urllib3==1.26.2
whitenoise==5.2.0
xmltodict==0.12.0
zope.interface==5.2.0

Description

I'm using Daphne to host django, and I need to connect a Flutter aplication via Rest API. Locally via HTTP, this is working fine, I'm able to do requests and send responses. But when I test this on production, an error is raised:

HandshakeException (HandshakeException: Handshake error in client (OS Error:
	CERTIFICATE_VERIFY_FAILED: unable to get local issuer certificate(handshake.cc:354)))

You can see the SSL verification here.

This is telling me that the secure communication between the app and the server is not working properly, due to the certificate.
So, I tried to install the intermediate certificates, passing caCertsDir=/etc/ssl/certs. But when I run the server, it raises the following error:

TypeError: _parseSSL() got an unexpected keyword argument 'caCertsDir'

Then, I tried to join the certKey file with the intermediate certificates that I have. I got 2 scenarios:

1. Intermediate certs before the original certKey content

This, raises the error:

twisted.internet.error.VerifyError: Certificate public and private keys do not match.

Of course this does not make sense, since we don't have access to the private key of an intermediate certificate.

---

2. Intermediate certs after the original certKey content

This time, I got no errors, but the handshake error continued to happen in the app, and the SSL verification contiunued to show the same results.

---

Actually, Twisted has support for caCertsDir, but Daphne seems not to. (Twisted Reference)

Is there something that I can do to add these certificates? Thanks

[carltongibson]

Hi!

Is there something that I can do to add these certificates?

I'm happy to look at PRs adding whatever options we need to be able to specify certs (or an SSLContext... 🤔) — but I didn't have time yet to look into exactly what that might entail.

If you want to outline the required changes as a starting point that would be awesome!

Thanks. 👍

[Enzodtz]

Hi!

If you want to outline the required changes as a starting point that would be awesome!

Well, I don't know much about daphne's source code, but as I mentioned before, twisted has support for the certs, so maybe the midfield between daphne and twisted is not working properly.

[carltongibson]

@Enzodtz It's most likely that we're just not exposing the option. (I didn't get a chance to look into it yet.)

[Enzodtz]

Exactly.

[Enzodtz]

Hey,

So, I was trying to find where the problem is located to maybe fix it, and I think I got something:

At the first post on this issue, I mentioned this article which I was thinking that it says that it's possible to pass the certsDir argument to the twisted server.

But actually, when taking a real look at daphne's source code I figured that it's using serverFromString (daphne/server.py, 122) and twisted just allows the certsDir when using clientFromString , which is mentioned in the same article.

So, I think that this is not a daphne's issue, but twisted's one, since it's just passing the raw -e argument to twisted.

I don't know much about twisted, speacially about those functions, about why the argument is allowed for one but not for other and about the diference between them.

Then, my question is if we can do something on this in daphne's side, or maybe if we should talk with twisted team.

Thanks.

[carltongibson]

Closing this as it's essentially an issue about twisted endpoint strings.