Problems with static ticket auth within TLS

Hi there, I need to get static ticket auth working within a TLS connection. I was bugging autobahn-java about this but I am not to the point of trying it on Android yet.

What I have done is taking the crossbario/crossbar-examples/wss example and added that config with all keys to the crossbar-examples/authentication/ticket/static example. The web based client seems to be working, but when I ‘make clients’ for the python client I get the following error:

SSL error: certificate verify failed (in tls_process_server_certificate)

Is this just the python client having a problem with a self-signed key? If that’s the case it will be pretty difficult for me to test. Here is my config.json:

{
    "version": 2,
    "workers": [
        {
            "type": "router",
            "options": {
                "pythonpath": [
                    ".."
                ]
            },
            "realms": [
                {
                    "name": "realm1",
                    "roles": [
                        {
                            "name": "backend",
                            "permissions": [
                                {
                                    "uri": "",
                                    "match": "prefix",
                                    "allow": {
                                        "call": true,
                                        "register": true,
                                        "publish": true,
                                        "subscribe": true
                                    },
                                    "disclose": {
                                        "caller": false,
                                        "publisher": false
                                    },
                                    "cache": true
                                },
                                {
                                    "uri": "com.example.topic2",
                                    "match": "exact",
                                    "allow": {
                                        "call": false,
                                        "register": false,
                                        "publish": false,
                                        "subscribe": false
                                    },
                                    "disclose": {
                                        "caller": false,
                                        "publisher": false
                                    },
                                    "cache": true
                                }
                            ]
                        },
                        {
                            "name": "frontend",
                            "permissions": [
                                {
                                    "uri": "com.example.add2",
                                    "match": "exact",
                                    "allow": {
                                        "call": true,
                                        "register": false,
                                        "publish": false,
                                        "subscribe": false
                                    },
                                    "disclose": {
                                        "caller": false,
                                        "publisher": false
                                    },
                                    "cache": true
                                },
                                {
                                    "uri": "com.example.",
                                    "match": "prefix",
                                    "allow": {
                                        "call": false,
                                        "register": false,
                                        "publish": true,
                                        "subscribe": false
                                    },
                                    "disclose": {
                                        "caller": false,
                                        "publisher": false
                                    },
                                    "cache": true
                                },
                                {
                                    "uri": "com.example.topic2",
                                    "match": "exact",
                                    "allow": {
                                        "call": false,
                                        "register": false,
                                        "publish": false,
                                        "subscribe": false
                                    },
                                    "disclose": {
                                        "caller": false,
                                        "publisher": false
                                    },
                                    "cache": true
                                },
                                {
                                    "uri": "com.foobar.topic1",
                                    "match": "exact",
                                    "allow": {
                                        "call": false,
                                        "register": false,
                                        "publish": true,
                                        "subscribe": false
                                    },
                                    "disclose": {
                                        "caller": false,
                                        "publisher": false
                                    },
                                    "cache": true
                                }
                            ]
                        }
                    ]
                }
            ],
            "transports": [
                {
                    "type": "web",
                    "endpoint": {
                        "type": "tcp",
                        "port": 8080,
                        "tls": {
                            "key": "server_key.pem",
                            "certificate": "server_cert.pem",
                            "dhparam": "dhparam.pem",
                            "ciphers": "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS"
                        }
                    },
                    "paths": {
                        "/": {
                            "type": "static",
                            "directory": "../web"
                        },
                        "shared": {
                            "type": "static",
                            "directory": "../../../../_shared-web-resources"
                        },
                        "ws": {
                            "type": "websocket",
                            "serializers": [
                                "json"
                            ],
                            "auth": {
                                "ticket": {
                                    "type": "static",
                                    "principals": {
                                        "client1": {
                                            "ticket": "${MYTICKET}",
                                            "role": "frontend"
                                        },
                                        "joe": {
                                            "ticket": "secret!!!",
                                            "role": "frontend"
                                        }
                                    }
                                }
                            }
                        }
                    }
                }
            ],
            "components": [
                {
                    "type": "class",
                    "classname": "backend.BackendSession",
                    "realm": "realm1",
                    "role": "backend"
                }
            ]
        }
    ]
}

I tried updating ca_certificates with the CA certs and now I get the error:

SSL error: tlsv13 alert certificate required (in ssl3_read_bytes)

"transports": [
                {
                    "type": "web",
                    "endpoint": {
                        "type": "tcp",
                        "port": 8080,
                        "tls": {
                            "key": "server_key.pem",
                            "certificate": "testserver_askmeit_com.crt",
                            "ca_certificates": [
                                "My_CA_Bundle.ca-bundle",
                                "SectigoRSADomainValidationSecureServerCA.crt",
                                "AAACertificateServices.crt",
                                "USERTrustRSAAAACA.crt"
                            ],
                            "dhparam": "dhparam.pem",
                            "ciphers": "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS"
                        }
                    },
                    "paths": {
                        .......

FYI, I got it to work. It turns out only the bundle and the cert were relevant.

"transports": [
                {
                    "type": "web",
                    "endpoint": {
                        "type": "tcp",
                        "port": 8080,
                        "tls": {
                            "key": "server_key.pem",
                            "certificate": "testserver_askmeit_com.crt",
                            "chain_certificates": [
                                "My_CA_Bundle.ca-bundle"
                            ],
                            "dhparam": "dhparam.pem",
                            "ciphers": "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS"
                        }
                    },
...