TLS not working without certificate

PascalLG / nubo-hs

Self-hosted file sharing application in Haskell and PHP.

MIT License

26 stars 1 forks source link

TLS not working without certificate #6

Open Protonotarios opened 5 years ago

Protonotarios commented 5 years ago

Great app but when I tried to init over https I got the following error: error: unexpected error (InternalException (HandshakeFailed (Error_Protocol ("certificate rejected: [NameMismatch \"my.server.tlg\"]",True,CertificateUnknown))))

Given that most users will use TLS, clearly for its encryption feature and not so much for certification (since this is a self-hosted app that runs on one's own server), TLS should be working regardless of the existence or not of a certificate.

You may consider this as a feature request, So, please, fix this and make it work because I think no serious user would want to sync over plain http. You may put an extra warning if you wish and force the user to acknowledge before continuing.

PascalLG commented 5 years ago

TLS is supported and you already get an extra warning if you try to initialise over HTTP.

What OS are you running? I noticed this kind of error sometimes, when running nubo on Windows 10. The workaround is to open once your server URL with Edge. I guess this is necessary for Windows to add the certificate to the list of trusted certificates.

Protonotarios commented 5 years ago

Thanks for the fast response! When I filed this report I had tried it in Linux Mint 17.3, Win 7 and 8.1. Then, after your reply, I tried also in Mint 18.3 and Win 10 and did the Edge trick too. Always the same error. Then I realised I wasn't very accurate in my initial report. I thought there was no certificate in my server but apparently there is one. I use Media Temple shared hosting and it seems there is a certificate installed named "gridserver.com" owned by GoDaddy (parent company of Media Temple), which obviously is not my domain name. That's why the error message says NameMismatch. So far I hadn't had a problem with that because it can be easily overridden in any major browser. So I think nubo should give you this option too instead of an error.

PascalLG commented 5 years ago

I'm no TLS expert but it seems to me that you cannot configure TLS without having a certificate on the server side, and that disabling certificate validation on the client side weakens security a lot. So I'm not sure this is a good feature.

I'm adding it to my backlog though. I'll investigate to see what's possible with the TLS library I use in nubo.

Thanks for your report!