pimutils
Make verify_fingerprint work with auth_cert
With the latest git version it is not possible to use both auth_cert and verify_fingerprint.
If you try to do that, you will get this error:
Syncing calendar
debug: ====================
[cut]
debug: Sending request...
error: Unknown error occurred for calendar: 'Fingerprint' object has no attribute 'load_cert_chain'
error: Use `-vdebug` to see the full traceback.
[cut]
debug: File "/usr/lib/python3/dist-packages/vdirsyncer/http.py", line 134, in request
debug: ssl_context.load_cert_chain(*cert)
debug: ^^^^^^^^^^^^^^^^^^^^^^^^^^^
When verify_fingerprint is specified, ssl_context is the return value of
https://github.com/pimutils/vdirsyncer/blob/d1f93ea0becfa4966ef73c05ec6bc75b2bdf42bf/vdirsyncer/http.py#L83
In my understanding, this is the correct way of doing fingerprint pinning using aiohttp, unfortunately the Fingerprint object doesn't have load_cert_chain method.
This is a limitation of aiohttp and there is already an issue that tracks it: https://github.com/aio-libs/aiohttp/issues/3679
Until that issue is resolved, it is possible to make vdirsyncer work by monkey-patching session._connector._make_ssl_context (I can create a PR if this approach is acceptable).
There is a more general security problem when using fingerprint pinning and client certs together in Python: the fingerprint will be checked only after the client cert verification already happened. This problem can't be fixed neither in vdirsyncer nor in aiohttp.
