hass-aarlo
hass-aarlo copied to clipboard
twrecked
SSLV3_ALERT_HANDSHAKE_FAILURE
For the last few days aarlo has stopped working and I am seeing this in the logs:
Logger: pyaarlo Source: custom_components/aarlo/pyaarlo/init.py:668 Integration: aarlo (documentation, issues) First occurred: 10:50:07 (48 occurrences) Last logged: 12:28:07
imap connection failed[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:997) 2fa startup failed
I am wondering if it is related to this https://github.com/home-assistant/core/issues/74713.
Is anyone else seeing this?
I don't have any control over the SSL stuff, the code uses the packages provided by Home Assistant.
Which version of Home Assistant are you on?
I should have put that in the report! Home Assistant 2022.7.5
I'm seeing a similar error since updating Home Assistant:
Error while setting up scrape platform for sensor
Traceback (most recent call last):
File "/usr/src/homeassistant/homeassistant/helpers/entity_platform.py", line 250, in _async_setup_platform
await asyncio.shield(task)
File "/usr/src/homeassistant/homeassistant/components/scrape/sensor.py", line 108, in async_setup_platform
await rest.async_update()
File "/usr/src/homeassistant/homeassistant/components/rest/data.py", line 60, in async_update
response = await self._async_client.request(
File "/usr/local/lib/python3.10/site-packages/httpx/_client.py", line 1527, in request
return await self.send(request, auth=auth, follow_redirects=follow_redirects)
File "/usr/local/lib/python3.10/site-packages/httpx/_client.py", line 1614, in send
response = await self._send_handling_auth(
File "/usr/local/lib/python3.10/site-packages/httpx/_client.py", line 1642, in _send_handling_auth
response = await self._send_handling_redirects(
File "/usr/local/lib/python3.10/site-packages/httpx/_client.py", line 1679, in _send_handling_redirects
response = await self._send_single_request(request)
File "/usr/local/lib/python3.10/site-packages/httpx/_client.py", line 1716, in _send_single_request
response = await transport.handle_async_request(request)
File "/usr/local/lib/python3.10/site-packages/httpx/_transports/default.py", line 353, in handle_async_request
resp = await self._pool.handle_async_request(req)
File "/usr/local/lib/python3.10/site-packages/httpcore/_async/connection_pool.py", line 253, in handle_async_request
raise exc
File "/usr/local/lib/python3.10/site-packages/httpcore/_async/connection_pool.py", line 237, in handle_async_request
response = await connection.handle_async_request(request)
File "/usr/local/lib/python3.10/site-packages/httpcore/_async/connection.py", line 86, in handle_async_request
raise exc
File "/usr/local/lib/python3.10/site-packages/httpcore/_async/connection.py", line 63, in handle_async_request
stream = await self._connect(request)
File "/usr/local/lib/python3.10/site-packages/httpcore/_async/connection.py", line 150, in _connect
stream = await stream.start_tls(**kwargs)
File "/usr/local/lib/python3.10/site-packages/httpcore/backends/asyncio.py", line 76, in start_tls
raise exc
File "/usr/local/lib/python3.10/site-packages/httpcore/backends/asyncio.py", line 67, in start_tls
ssl_stream = await anyio.streams.tls.TLSStream.wrap(
File "/usr/local/lib/python3.10/site-packages/anyio/streams/tls.py", line 122, in wrap
await wrapper._call_sslobject_method(ssl_object.do_handshake)
File "/usr/local/lib/python3.10/site-packages/anyio/streams/tls.py", line 130, in _call_sslobject_method
result = func(*args)
File "/usr/local/lib/python3.10/ssl.py", line 975, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: WRONG_SIGNATURE_TYPE] wrong signature type (_ssl.c:997)
@twrecked I have fixed this for my issue by following this https://stackoverflow.com/questions/71006708/getting-sslv3-alert-handshake-failure-when-trying-to-connect-to-imap.
In "pyaarlo\backend.py" I needed to add
import ssl
ctx = ssl.create_default_context()
ctx.set_ciphers('DEFAULT')
self._imap = imaplib.IMAP4_SSL(
self._arlo.cfg.tfa_host, port=self._arlo.cfg.tfa_port, ssl_context = ctx
)
I am thinking the my email provider (fasthosts) is using old cyphers. Not sure if you can make this an option.
That might be the way to go for everyone. I'll try it here. And it's weakening the security level so I'll try and make it an option.
I need to beef up a whole lot of stuff in the IMAP, I'll try and bring them all in together.
Can you unpack this diff? Github won't let me attach a diff directly. This is a first attempt. Add default_ciphers=True to the Aarlo options to test it.
This diff also includes a couple of other IMAP fixes:
- turning on read only so incorrectly identified emails aren't marked read
- ignore MIME type and try looking for the number anyway
Will try later - which branch of git is this based on? (I believe I need a git repo to apply the patch, well with the tools I use I do.)
I'll create a branch for you to test. I've got too much going on and got confused between hass-aarlo and pyaarlo.
What branch of hass-aarlo are you currently on?
Currently editing live release not git - 0.7.2.beta.8.3. Don't worry about the branch, I think I can manually merge the changes (or find a different tool).
Took a look at this last night and am confused, I changed the files in config\custom_components\aarlo\pyaarlo like I did before and I can't get the code to fail (even tried rebooting the HA VM). It looks like it is using a cached copy of the code as if I set "default_ciphers: False" I get the message: Invalid config for [aarlo]: [default_ciphers] is an invalid option for [aarlo]. Check: aarlo->aarlo->default_ciphers.
I forgot there are a few extra pieces you need for hass-aarlo. I created this branch with the changes: https://github.com/twrecked/hass-aarlo/tree/0.7.x-imap-ciphers
As for the login caching, delete this file .aarlo/session.pickle, it's in the home assistant configuration directory, and it will try to login again.
I can confirm this code works for me. Delete .aarlo/session.pickle and restarted and the 2fa failed, set "default_ciphers: True" restarted and the 2fa passed.
It seems that my IMAP is even worse, i've had to change the code in pyaarlo/tfa.py from
if self._arlo.cfg.default_ciphers:
ctx = ssl.create_default_context()
ctx.set_ciphers("DEFAULT")
self._arlo.debug(f"imap is using DEFAULT ciphers")
To this
if self._arlo.cfg.default_ciphers:
ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
ctx.options |= ssl.OP_NO_SSLv2
ctx.options |= ssl.OP_NO_SSLv3
ctx.set_ciphers("DEFAULT:@SECLEVEL=1")
self._arlo.debug(f"imap is using DEFAULT ciphers")
in order get it working again, this will accept TLS v1.0 and up but no SSL v2 or v3.
