Disable errbot cert verification

Question

I'm having hard time trying to connect errbot to dev HipChat server because of invalid ssl cert.

log:

21:16:01 DEBUG    sleekxmpp.xmlstream.xmlst Event triggered: ssl_cert
21:16:01 ERROR    sleekxmpp.xmlstream.xmlst Could not match certficate against hostname: chat.btf.hipchat.com
21:16:01 DEBUG    sleekxmpp.xmlstream.xmlst Event triggered: session_end
21:16:01 DEBUG    sleekxmpp.xmlstream.xmlst Event triggered: disconnected
21:16:01 INFO     errbot.core               Disconnect callback, deactivating all the plugins.
21:16:01 DEBUG    sleekxmpp.thirdparty.stat  ==== TRANSITION connected -> disconnected
21:16:01 DEBUG    sleekxmpp.xmlstream.xmlst SEND (IMMED): <stream:stream to='chat.btf.hipchat.com' xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' xml:lang='en' version='1.0'>
21:16:01 DEBUG    sleekxmpp.xmlstream.xmlst Event triggered: socket_error
21:16:01 WARNING  sleekxmpp.xmlstream.xmlst Failed to send b"<stream:stream to='chat.btf.hipchat.com' xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' xml:lang='en' version='1.0'>"
21:16:01 DEBUG    sleekxmpp.xmlstream.xmlst Event triggered: session_end
21:16:01 DEBUG    sleekxmpp.xmlstream.xmlst Event triggered: socket_error
21:16:01 DEBUG    sleekxmpp.xmlstream.xmlst Event triggered: disconnected
21:16:01 INFO     errbot.core               Disconnect callback, deactivating all the plugins.
21:16:01 DEBUG    sleekxmpp.thirdparty.stat  ==== TRANSITION connected -> disconnected
21:16:01 DEBUG    sleekxmpp.xmlstream.xmlst Event triggered: socket_error
21:16:01 ERROR    sleekxmpp.xmlstream.xmlst Socket Error #9: Bad file descriptor

Errbot keeps verify cert even though I specified "'verify': False" in BOT_IDENTITY as well as XMPP_CA_CERT_FILE = None in config.

part of config:

BOT_IDENTITY = {
    ## HipChat mode (Comment the above if using this mode)
    'username' : '[email protected]',
    'password' : '123qweASD',
    ## Group admins can create/view tokens on the settings page after logging
    ## in on HipChat's website
    'token'    : 'sometoken',
    ## If you're using HipChat server (self-hosted HipChat) then you should set
    ## the endpoint below. If you don't use HipChat server but use the hosted version
    ## of HipChat then you may leave this commented out.
    'endpoint' : 'hipchat.test.intra',
    'verify': False,
}
XMPP_CA_CERT_FILE = None

Any ideas how to make it work are really appreciated.

Answer 1

The source of this error happens in the verify function which verifies the certificate is valid in terms of hostname and validity date.

The value of XMPP_CA_CERT_FILE set in errbot's config is eventually passed to ca_certs in the XMLStream class where it's used to influence the cert_policy. That sets ssl.CERT_NONE but even so, it still calls verify.

That means currently you can have a (possible self-signed) certificate without a valid trust root, but you will still have to ensure the hostname you're connecting to matches the hostname (CN) of the certificate. (This is something which SleekXMPP, the underlying XMPP library used by errbot imposes on us and not directly something from errbot itself).