1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1105177: onionprobe: TLS (https) probes fail to verify certificates

    From Gabriel Filion@21:1/5 to All on Mon May 12 23:10:02 2025
    Package: onionprobe
    Version: 1.2.0+ds-1
    Severity: normal
    Tags: upstream patch

    Hello,

    I've just tried setting up onionprobe 1.2.0 on a trixie host to make it
    monitor a .onion service with https (on port 443). After some delay,
    onionprobe checked the site and showed the following errors:

    May 12 20:13:48 hetzner-nbg1-01 onionprobe[584091]: 2025-05-12
    20:13:48,480 INFO: Trying to do a TLS connection to v236xhqtyullodhf26szyjepvkbv6iitrhjgrqj4avaoukebkk6n6syd.onion on port
    443 (attempt 1)...
    May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]: 2025-05-12
    20:13:50,194 INFO: TLS connection succeeded at v236xhqtyullodhf26szyjepvkbv6iitrhjgrqj4avaoukebkk6n6syd.onion on port 443
    May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]: 2025-05-12
    20:13:50,194 INFO: Retrieving certificate information for v236xhqtyullodhf26szyjepvkbv6iitrhjgrqj4avaoukebkk6n6syd.onion on port 443
    May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]: /usr/lib/python3/dist-packages/onionprobe/certificate.py:212: CryptographyDeprecationWarning: Properties that return a naïve datetime
    object have been deprecated. Please switch to not_valid_before_utc.
    May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]: not_valid_before = cert.not_valid_before.timestamp()
    May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]: /usr/lib/python3/dist-packages/onionprobe/certificate.py:213: CryptographyDeprecationWarning: Properties that return a naïve datetime
    object have been deprecated. Please switch to not_valid_after_utc.
    May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]: not_valid_after = cert.not_valid_after.timestamp()
    May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]: /usr/lib/python3/dist-packages/onionprobe/certificate.py:142: CryptographyDeprecationWarning: Properties that return a naïve datetime
    object have been deprecated. Please switch to not_valid_after_utc.
    May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]: 'notAfter'
    : cert.not_valid_after.replace(
    May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]: /usr/lib/python3/dist-packages/onionprobe/certificate.py:144: CryptographyDeprecationWarning: Properties that return a naïve datetime
    object have been deprecated. Please switch to not_valid_before_utc.
    May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]: 'notBefore'
    : cert.not_valid_before.replace(
    May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]: /usr/lib/python3/dist-packages/onionprobe/certificate.py:177: CryptographyDeprecationWarning: Properties that return a naïve datetime
    object have been deprecated. Please switch to not_valid_after_utc.
    May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]: not_valid_after = cert.not_valid_after.replace(tzinfo=timezone.utc).timestamp()
    May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]: 2025-05-12
    20:13:50,198 ERROR: module 'ssl' has no attribute 'match_hostname'


    the result is a metric onion_service_valid_certificate exported to
    prometheus with a value of 2 indicating that the certificate is invalid,
    but curl is able to reach the website without erors. really the issue
    seems to be that the code failed to run its verification.

    upstream has already addressed the errors above so we could backport the patches:

    https://gitlab.torproject.org/tpo/onion-services/onionprobe/-/commit/26b18404cdd3bb64d73eba0df6b09b014232d3ae

    https://gitlab.torproject.org/tpo/onion-services/onionprobe/-/merge_requests/110/commits


    cheers!

    -- System Information:
    Debian Release: trixie/sid
    APT prefers unstable
    APT policy: (500, 'unstable')
    Architecture: amd64 (x86_64)
    Foreign Architectures: i386

    Kernel: Linux 6.12.22-amd64 (SMP w/16 CPU threads; PREEMPT)
    Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE
    not set
    Shell: /bin/sh linked to /usr/bin/dash
    Init: systemd (via /run/systemd/system)
    LSM: AppArmor: enabled

    Versions of packages onionprobe depends on:
    ii adduser 3.150
    ii init-system-helpers 1.68
    ii python3 3.13.3-1
    ii python3-cryptography 43.0.0-2
    ii python3-prometheus-client 0.21.1+ds1-1
    ii python3-requests 2.32.3+dfsg-5
    ii python3-socks 1.7.1+dfsg-1
    pn python3-stem <none>
    ii python3-yaml 6.0.2-1+b2
    ii tor 0.4.8.16-1

    onionprobe recommends no packages.

    Versions of packages onionprobe suggests:
    pn prometheus <none>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)