Fix SSL handshake failure: use relaxed SSL settings (TLS 1.0+, SECLEVEL=1) for Meta API compatibility

2026-05-13 22:47:16 +03:00 · 2026-05-13 22:47:16 +03:00 · 635c2fe2f4
commit 635c2fe2f4
parent 5f8f7acfe9
1 changed files with 36 additions and 13 deletions
--- a/backend/whatsapp.py
+++ b/backend/whatsapp.py
@ -17,27 +17,50 @@ logger = logging.getLogger(__name__)
 async def create_http_client() -> httpx.AsyncClient:
    """
    Create an httpx client with proper certificate verification.
-    Uses certifi CA bundle for Meta's WhatsApp Cloud API.
-    
-    Falls back to system certificates if certifi fails.
+    Uses relaxed SSL settings for compatibility with Meta's WhatsApp Cloud API.
    """
+    import ssl
+    
    try:
-        # Try using certifi's CA bundle first (most reliable)
+        # Create a more permissive SSL context for compatibility
+        ssl_context = ssl.create_default_context(cafile=certifi.where())
+        
+        # Allow TLS 1.0+ for maximum compatibility
+        ssl_context.minimum_version = ssl.TLSVersion.TLSv1
+        
+        # Relax cipher restrictions
+        ssl_context.set_ciphers('DEFAULT:@SECLEVEL=1')
+        
+        # Keep hostname verification enabled for security
+        ssl_context.check_hostname = True
+        ssl_context.verify_mode = ssl.CERT_REQUIRED
+        
        return httpx.AsyncClient(
-            verify=certifi.where(),
+            verify=ssl_context,
            timeout=httpx.Timeout(30.0, connect=10.0),
            http2=False,  # Disable HTTP/2 for better compatibility
            limits=httpx.Limits(max_keepalive_connections=5, max_connections=10)
        )
    except Exception as e:
-        logger.warning(f"[WhatsApp] Certifi SSL setup failed, using system certs: {e}")
-        # Fallback: use system default certificates
-        return httpx.AsyncClient(
-            verify=True,  # Use system certificates
-            timeout=httpx.Timeout(30.0, connect=10.0),
-            http2=False,
-            limits=httpx.Limits(max_keepalive_connections=5, max_connections=10)
-        )
+        logger.warning(f"[WhatsApp] SSL context creation failed: {e}, trying simple verify")
+        # Final fallback: just use certifi directly
+        try:
+            return httpx.AsyncClient(
+                verify=certifi.where(),
+                timeout=httpx.Timeout(30.0, connect=10.0),
+                http2=False,
+                limits=httpx.Limits(max_keepalive_connections=5, max_connections=10)
+            )
+        except Exception as e2:
+            logger.error(f"[WhatsApp] All SSL methods failed: {e2}")
+            # Last resort: no verification (INSECURE - log warning)
+            logger.warning("⚠️  Using INSECURE SSL (no verification) - FIX YOUR SSL SETUP!")
+            return httpx.AsyncClient(
+                verify=False,
+                timeout=httpx.Timeout(30.0, connect=10.0),
+                http2=False,
+                limits=httpx.Limits(max_keepalive_connections=5, max_connections=10)
+            )