pyasn1 - always get certificate has expired

[fenchu]

pyasn1==0.4.2
pyasn1-modules==0.2.1
sleekxmpp==1.3.3

I've also tried older versions, same issue, below is a self signed cert, but I get expired on all certs I've tried.

$ openssl x509 -in mycert.cert -text | grep -A2 Validity
Validity
Not Before: Dec 11 08:15:33 2017 GMT
Not After : May 29 08:15:33 2020 GMT

DEBUG    RECV: <stream:features xmlns="http://etherx.jabber.org/streams"><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>PLAIN</mechanism><mechanism>DIGEST-MD5</mechanism><mechanism>X-OAUTH2</mechanism><mechanism>SCRAM-SHA-1</mechanism></mechanisms><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls" /><register xmlns="http://jabber.org/features/iq-register" /></stream:features>
DEBUG    SEND (IMMED): <starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls" />
DEBUG    RECV: <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls" />
DEBUG    Starting TLS
INFO     Negotiating TLS
INFO     Using SSL version: TLSv1
DEBUG    CERT: -----BEGIN CERTIFICATE-----
MIIDjjCCAnYCCQCDkNZsc7Fk6zANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMC
Tk8xDTALBgNVBAgMBE9zbG8xDTALBgNVBAcMBE9zbG8xDzANBgNVBAoMBnNlbnNp
bzENMAsGA1UECwwEdGVzdDEeMBwGA1UEAwwVbWItdm0xLm9zbG8uc2Vuc2lvLm5v
MRswGQYJKoZIhvcNAQkBFgxtYkBzZW5zaW8ubm8wHhcNMTcxMjExMDgxNTMzWhcN
MjAwNTI5MDgxNTMzWjCBiDELMAkGA1UEBhMCTk8xDTALBgNVBAgMBE9zbG8xDTAL
BgNVBAcMBE9zbG8xDzANBgNVBAoMBnNlbnNpbzENMAsGA1UECwwEdGVzdDEeMBwG
A1UEAwwVbWItdm0xLm9zbG8uc2Vuc2lvLm5vMRswGQYJKoZIhvcNAQkBFgxtYkBz
ZW5zaW8ubm8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+pZ/0+a2m
63x7FYDaQGefE0nuReMOSZKOVJBqQs5mKoW131O7Qfsicu3jIWh8usXkgVCwMhqS
eWAkMYxj/hL2eUB9E8I/WBYxmxFuzvvbdh71+QIv4dZLkIzXzcRkoXQO4yOk2IHK
9TaKQY4Pm70dx845Q4CXi3OU4sSTTxthWNQg13MPIEJuozmKqLIyMdGyC+nTh6ez
Vm2xoM5ikWpJEMvBL60tKR+wXGXLLEj0p0WuHV3LsqA9FBLpa1k+NMeu+sICCPG/
X/IuSGwh4XUGVU5LBxsfcNsLinp+cV67jtxcOT3EXZKbEjTfK7YfzGmhwuuxNctA
CLydrrSL5+AZAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAEcJGL8A/XBMTMSgR5aL
b9qbceXGpF8yjpc9do5d9iDMHLzuLpqoFaQCks5UV9Tq7Q8v7P79KQrwLwD9QR9J
K/c7a5vxkas3Z7iTy7Dc8NnaPsPH7x+xV6XWON82gyM7HneFcOZSpvvMtMOezCWl
sjfG8InIso1m/YaKQOh2xn5M+6N7Dc3RfJY3e1OXoJWi81BHktuoO/BB8S8FnYJj
VbJTWGjwC3wkLEPM7PsTe9GL7gJjPrK9dPnSrmQhpTOeODgHY3cwvCHORWNVikV7
9fmGRUQyxXmvL11FzChRaoqc1Bn+rzl/7Zh2PePr5coiAz970EEV3SwPHXvFzPN0
TdE=
-----END CERTIFICATE-----

DEBUG    Event triggered: ssl_cert
ERROR    Certificate has expired.
DEBUG    Event triggered: session_end
DEBUG    Waiting for 3 threads to exit.

[ragazenta]

Maybe your certificate using two-digit-year variant. It's broken (#461) in SleekXmpp v1.3.3. Downgrading to v1.3.2 works fine.

[virtadpt]

I just ran into this during a system upgrade last night, and your suggestion (downgrade to SleekXMPP v1.3.2) is what worked to get my bridge back online, @ragazenta. I'm not sure my certificate (from Let's Encrypt) is using two digit years, but that could be OpenSSL being overly helpful for once:

[drwho@leandra ~]$ echo | openssl s_client -connect jabber.redacted.foo:5222 -starttls xmpp 2>/dev/null | openssl x509 -noout -dates
notBefore=Mar 17 19:28:38 2018 GMT
notAfter=Jun 15 19:28:38 2018 GMT

Is there some information I could provide that would be helpful in diagnosing this further?

[Neustradamus]

Have you tested with "master"?

• https://github.com/fritzy/SleekXMPP/commits/develop