hass-aarlo SSLV3_ALERT_HANDSHAKE

For the last few days aarlo has stopped working and I am seeing this in the logs:

Logger: pyaarlo Source: custom_components/aarlo/pyaarlo/init.py:668 Integration: aarlo (documentation, issues) First occurred: 10:50:07 (48 occurrences) Last logged: 12:28:07

imap connection failed[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:997) 2fa startup failed

I am wondering if it is related to this https://github.com/home-assistant/core/issues/74713.

Is anyone else seeing this?

Jul 18 '22 11:07 neilsleightholm-paxton

I don't have any control over the SSL stuff, the code uses the packages provided by Home Assistant.

Which version of Home Assistant are you on?

Jul 20 '22 13:07 twrecked

I should have put that in the report! Home Assistant 2022.7.5

Jul 20 '22 14:07 neilsleightholm-paxton

Is anyone else seeing this?

Jul 22 '22 09:07 neilsleightholm-paxton

I'm seeing a similar error since updating Home Assistant:

Error while setting up scrape platform for sensor
Traceback (most recent call last):
  File "/usr/src/homeassistant/homeassistant/helpers/entity_platform.py", line 250, in _async_setup_platform
    await asyncio.shield(task)
  File "/usr/src/homeassistant/homeassistant/components/scrape/sensor.py", line 108, in async_setup_platform
    await rest.async_update()
  File "/usr/src/homeassistant/homeassistant/components/rest/data.py", line 60, in async_update
    response = await self._async_client.request(
  File "/usr/local/lib/python3.10/site-packages/httpx/_client.py", line 1527, in request
    return await self.send(request, auth=auth, follow_redirects=follow_redirects)
  File "/usr/local/lib/python3.10/site-packages/httpx/_client.py", line 1614, in send
    response = await self._send_handling_auth(
  File "/usr/local/lib/python3.10/site-packages/httpx/_client.py", line 1642, in _send_handling_auth
    response = await self._send_handling_redirects(
  File "/usr/local/lib/python3.10/site-packages/httpx/_client.py", line 1679, in _send_handling_redirects
    response = await self._send_single_request(request)
  File "/usr/local/lib/python3.10/site-packages/httpx/_client.py", line 1716, in _send_single_request
    response = await transport.handle_async_request(request)
  File "/usr/local/lib/python3.10/site-packages/httpx/_transports/default.py", line 353, in handle_async_request
    resp = await self._pool.handle_async_request(req)
  File "/usr/local/lib/python3.10/site-packages/httpcore/_async/connection_pool.py", line 253, in handle_async_request
    raise exc
  File "/usr/local/lib/python3.10/site-packages/httpcore/_async/connection_pool.py", line 237, in handle_async_request
    response = await connection.handle_async_request(request)
  File "/usr/local/lib/python3.10/site-packages/httpcore/_async/connection.py", line 86, in handle_async_request
    raise exc
  File "/usr/local/lib/python3.10/site-packages/httpcore/_async/connection.py", line 63, in handle_async_request
    stream = await self._connect(request)
  File "/usr/local/lib/python3.10/site-packages/httpcore/_async/connection.py", line 150, in _connect
    stream = await stream.start_tls(**kwargs)
  File "/usr/local/lib/python3.10/site-packages/httpcore/backends/asyncio.py", line 76, in start_tls
    raise exc
  File "/usr/local/lib/python3.10/site-packages/httpcore/backends/asyncio.py", line 67, in start_tls
    ssl_stream = await anyio.streams.tls.TLSStream.wrap(
  File "/usr/local/lib/python3.10/site-packages/anyio/streams/tls.py", line 122, in wrap
    await wrapper._call_sslobject_method(ssl_object.do_handshake)
  File "/usr/local/lib/python3.10/site-packages/anyio/streams/tls.py", line 130, in _call_sslobject_method
    result = func(*args)
  File "/usr/local/lib/python3.10/ssl.py", line 975, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: WRONG_SIGNATURE_TYPE] wrong signature type (_ssl.c:997)

Jul 22 '22 11:07 barrycraig

@twrecked I have fixed this for my issue by following this https://stackoverflow.com/questions/71006708/getting-sslv3-alert-handshake-failure-when-trying-to-connect-to-imap.

In "pyaarlo\backend.py" I needed to add

import ssl

            ctx = ssl.create_default_context()
            ctx.set_ciphers('DEFAULT')
            self._imap = imaplib.IMAP4_SSL(
                self._arlo.cfg.tfa_host, port=self._arlo.cfg.tfa_port, ssl_context = ctx
            )

I am thinking the my email provider (fasthosts) is using old cyphers. Not sure if you can make this an option.

Jul 24 '22 16:07 neilsleightholm-paxton

That might be the way to go for everyone. I'll try it here. And it's weakening the security level so I'll try and make it an option.

I need to beef up a whole lot of stuff in the IMAP, I'll try and bring them all in together.

Jul 24 '22 20:07 twrecked

Thanks - let me know if you want me to test anything.

Jul 25 '22 06:07 neilsleightholm-paxton

imap.diff.gz

Can you unpack this diff? Github won't let me attach a diff directly. This is a first attempt. Add default_ciphers=True to the Aarlo options to test it.

This diff also includes a couple of other IMAP fixes:

turning on read only so incorrectly identified emails aren't marked read
ignore MIME type and try looking for the number anyway

Jul 25 '22 13:07 twrecked

Will try later - which branch of git is this based on? (I believe I need a git repo to apply the patch, well with the tools I use I do.)

Jul 25 '22 14:07 neilsleightholm-paxton

I'll create a branch for you to test. I've got too much going on and got confused between hass-aarlo and pyaarlo.

What branch of hass-aarlo are you currently on?

Jul 25 '22 14:07 twrecked

Currently editing live release not git - 0.7.2.beta.8.3. Don't worry about the branch, I think I can manually merge the changes (or find a different tool).

Jul 25 '22 14:07 neilsleightholm-paxton

Took a look at this last night and am confused, I changed the files in config\custom_components\aarlo\pyaarlo like I did before and I can't get the code to fail (even tried rebooting the HA VM). It looks like it is using a cached copy of the code as if I set "default_ciphers: False" I get the message: Invalid config for [aarlo]: [default_ciphers] is an invalid option for [aarlo]. Check: aarlo->aarlo->default_ciphers.

Jul 26 '22 06:07 neilsleightholm-paxton

I forgot there are a few extra pieces you need for hass-aarlo. I created this branch with the changes: https://github.com/twrecked/hass-aarlo/tree/0.7.x-imap-ciphers

As for the login caching, delete this file .aarlo/session.pickle, it's in the home assistant configuration directory, and it will try to login again.

Jul 26 '22 12:07 twrecked

I can confirm this code works for me. Delete .aarlo/session.pickle and restarted and the 2fa failed, set "default_ciphers: True" restarted and the 2fa passed.

Jul 26 '22 15:07 neilsleightholm-paxton

It seems that my IMAP is even worse, i've had to change the code in pyaarlo/tfa.py from

            if self._arlo.cfg.default_ciphers:
                ctx = ssl.create_default_context()
                ctx.set_ciphers("DEFAULT")
                self._arlo.debug(f"imap is using DEFAULT ciphers")

To this

            if self._arlo.cfg.default_ciphers:
                ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
                ctx.options |= ssl.OP_NO_SSLv2
                ctx.options |= ssl.OP_NO_SSLv3
                ctx.set_ciphers("DEFAULT:@SECLEVEL=1")
                self._arlo.debug(f"imap is using DEFAULT ciphers")

in order get it working again, this will accept TLS v1.0 and up but no SSL v2 or v3.

Aug 05 '22 05:08 gjelsoe

hass-aarlo hass-aarlo copied to clipboard

SSLV3_ALERT_HANDSHAKE_FAILURE

hass-aarlo
hass-aarlo copied to clipboard