Disable ssl VERIFY_X509_STRICT with self-signed certificate DNS

[therve]

The new flag enforced in Python 3.13 with
python/cpython#107361 doesn't work with the semi broken Freebox self signed certificates.

It should fix home-assistant/core#132333

Fixes #734

[olivierh65]

For me, this doesn't solve the problem described in home-assistant/core#132333.

I had to disable certificate verification:

        ssl_ctx = ssl.create_default_context()
        ssl_ctx.load_verify_locations(cafile=cert_path)
      + ssl_ctx.check_hostname = False
      + ssl_ctx.verify_mode = ssl.CERT_NONE

        conn = aiohttp.TCPConnector(ssl_context=ssl_ctx)
        self._session = aiohttp.ClientSession(connector=conn)```

[therve]

It's surprising. There is no reason for the SSL verification to work in python 3.12 and to start failing suddenly with 3.13. The main thing that changed with 3.13 is the 2 additional flags. Can you try disabling VERIFY_X509_PARTIAL_CHAIN?

[olivierh65]

I tried to disable only VERIFY_X509_PARTIAL_CHAIN , but it didn't solve the problem.

[therve]

OK I'm not sure what's going on. I can confirm that this PR works for me with a Delta.

[Quentame]

Currently testing on Revolution

[Quentame]

@olivierh65 : what Freebox model, Freebox firmware version and Python version do you have ?

[Quentame]

From py3.11: OK ✅
To py3.13 before your PR: ❌

aiohttp.client_exceptions.ClientConnectorCertificateError: Cannot connect to host mafreebox.freebox.fr:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier (_ssl.c:1018)')]

To py3.13 after your PR: OK ✅

[Quentame]

Tested and working, thanks !

[jeanrobertjs]

@olivierh65 : what Freebox model, Freebox firmware version and Python version do you have ?

I have the same issue on Freebox Delta.

These are my configs:

Python version = 3.13

and from : http://mafreebox.freebox.fr/api_version I get :

• "box_model_name": "Freebox v7 (r1)",
• "https_available": true,
• "box_model": "fbxgw7-r1/full",
• "api_version": "12.2",
• "device_type": "FreeboxServer7,1"

@Quentame How can I test your PR, pls?

[olivierh65]

On my side : {"box_model_name":"Freebox Server (r2)","api_base_url":"\/api\/","https_port":0000pp,"device_name":"Freebox Server","https_available":true,"box_model":"fbxgw-r2\/full","api_domain":"llllllllll.fbxos.fr","api_version":"12.2","device_type":"FreeboxServer1,2"} If you create a new domain with a let's crypt certificat, and use this domain to connect the plug-in, it should work.

[Quentame]

@jeanrobertjs

How can I test your PR, pls?

By running this file

---

@olivierh65

If you create a new domain with a let's crypt certificat, and use this domain to connect the plug-in, it should work.

What I wrote there home-assistant/core#132333 (comment) 😉

[olivierh65]

@jeanrobertjs

@olivierh65

If you create a new domain with a let's crypt certificat, and use this domain to connect the plug-in, it should work.

What I wrote there home-assistant/core#132333 (comment) 😉

Yes, it was just a confirmation

[C-Duv]

I think an host.endswith(".fboxos.fr") and host = "mafreebox.freebox.fr" would be safer.

[Quentame]

Indeed, but I am finally not sure of keeping this check, as there is an issue with Italian Freeboxes : Illiadbox

See home-assistant/core#133246

[Quentame]

Or using some kind of regex that should match both FR and ITA boxes.
As bo?x(os)?([\w\.]+)?\.[\w]{2,4}, to match:

• invalid: .fbxos.fr
• invalid: mafreebox.freebox.fr
• valid: custom.freeboxos.fr
• invalid: .ibxos.it
• invalid: myiliadbox.iliad.it
• valid: custom.iliadboxos.it

But the issue is that this regex matches all DNS, including valid ones.

OK, found one that matches only invalid ones (bxos)|(box\.[\w]+)\.[\w]{2,4}.

But not sure if this is even needed ...

[Quentame]

If Free/the Iliad Group expend in an other country, we probably need to update that, and I don't really want to see an other issue for that.

[theblackhole]

@Quentame If you want to do a regex, I think your last one is not strict enough (demo).

Iliad is not going to expand to other countries regularly so I don't know if it is worth opening the SSL exclusion that much. Also we can't know in advance what name they could take and even if we can guess a pattern (eg: myiliadbox.iliad.pt and .ibxos.pt if they expand to portugal), it would not be very secure to include all tlds.

I suggest instead to stay explicit and add exclusions on a case-by-case basis. It can be condensed into a regex but it must be strict enough (demo):

(mafreebox\.freebox\.fr$)|(\.fbxos\.fr$)|(myiliadbox\.iliad\.it$)|(\.ibxos\.it$)

And if they continue along the lines of iliad.tld/.ibxos.tld then it will be enough to add these tlds in the regex (demo):

(mafreebox\.freebox\.fr$)|(\.fbxos\.fr$)|(myiliadbox\.iliad\.(it|pt|co\.uk)$)|(\.ibxos\.(it|pt|co\.uk)$)

If you really want to be more permissive to avoid future code edit, you could allow all country tlds like this (demo) :

(mafreebox\.freebox\.fr$)|(\.fbxos\.fr$)|(myiliadbox\.iliad\.([a-z]{2,4}|co\.uk)$)|(\.ibxos\.([a-z]{2,4}|co\.uk)$)