search

matrix-org / matrix-federation-tester

Tester for matrix federation written in golang.
77 stars 17 forks source link

Wrong SNI header gets set. #146

Closed merspieler closed 8 months ago

merspieler commented 8 months ago

Following setup: Domain. merspieler.tk Delegation to: matrix.merspieler.tk via SRV record: _matrix._tcp.merspieler.tk. 3600 IN SRV 1 1 443 matrix.merspieler.tk.

Federation tester result:

{
  "WellKnownResult": {
    "m.server": "",
    "result": "Get \"https://merspieler.tk/.well-known/matrix/server\": remote error: tls: internal error",
    "CacheExpiresAt": 0
  },
  "DNSResult": {
    "SRVSkipped": false,
    "SRVCName": "_matrix._tcp.merspieler.tk.",
    "SRVRecords": [
      {
        "Target": "matrix.merspieler.tk.",
        "Port": 443,
        "Priority": 1,
        "Weight": 1
      }
    ],
    "SRVError": null,
    "Hosts": {
      "matrix.merspieler.tk.": {
        "CName": "matrix.merspieler.tk.",
        "Addrs": [
          "2a03:4000:28:19a::b:ba",
          "94.16.115.113"
        ],
        "Error": null
      }
    },
    "Addrs": [
      "[2a03:4000:28:19a::b:ba]:443",
      "94.16.115.113:443"
    ]
  },
  "ConnectionReports": {},
  "ConnectionErrors": {
    "94.16.115.113:443": {
      "Message": "Get \"https://94.16.115.113:443/_matrix/key/v2/server\": remote error: tls: internal error"
    },
    "[2a03:4000:28:19a::b:ba]:443": {
      "Message": "Get \"https://[2a03:4000:28:19a::b:ba]:443/_matrix/key/v2/server\": remote error: tls: internal error"
    }
  },
  "Version": {
    "error": "Get \"matrix://merspieler.tk/_matrix/federation/v1/version\": remote error: tls: internal error"
  },
  "FederationOK": false
}

SNI Proxy logs:

Dec 02 19:50:17 chaya sniproxy[588702]: [2a04:3541:1000:500:6866:a4ff:fe4c:5e7b]:58176 -> [2a03:4000:28:19a::b:ba]:443 -> <internal-IP>:443 [merspieler.tk] 7/7 bytes tx 558/558 bytes rx 0.027 seconds
Dec 02 19:50:17 chaya sniproxy[588702]: [2a04:3541:1000:500:6866:a4ff:fe4c:5e7b]:58180 -> [2a03:4000:28:19a::b:ba]:443 -> <internal-IP>:443 [merspieler.tk] 7/7 bytes tx 558/558 bytes rx 0.044 seconds
Dec 02 19:50:17 chaya sniproxy[588702]: [2a04:3541:1000:500:6866:a4ff:fe4c:5e7b]:58182 -> [2a03:4000:28:19a::b:ba]:443 -> <internal-IP>:443 [merspieler.tk] 7/7 bytes tx 578/578 bytes rx 0.023 seconds
Dec 02 19:50:17 chaya sniproxy[588702]: [2a04:3541:1000:500:6866:a4ff:fe4c:5e7b]:58184 -> [2a03:4000:28:19a::b:ba]:443 -> <internal-IP>:443 [merspieler.tk] 7/7 bytes tx 578/578 bytes rx 0.024 seconds
Dec 02 19:50:17 chaya sniproxy[588702]: [2a04:3541:1000:500:6866:a4ff:fe4c:5e7b]:58188 -> [2a03:4000:28:19a::b:ba]:443 -> <internal-IP>:443 [merspieler.tk] 7/7 bytes tx 522/522 bytes rx 0.025 seconds

As you can see, for all requests to the server, the SNI header is set to merspieler.tk for some that is expected as it tries to query the .well-known file. After it looked at the SRV record, it tries to get https://[2a03:4000:28:19a::b:ba]:443/_matrix/key/v2/server but that now should have the delegated matrix.merspieler.tk domain in the SNI header to get to the right machine, right now it again just uses the main domain.

richvdh commented 8 months ago

I'm afraid I'm not really following you.

It appears that the configuration at merspieler.tk is no longer as it was when you reported this issue. Obviously, this makes it very much harder to diagnose any issues.

I strongly suspect the behaviour you observed was correct. Note that the use of SRV records is not really recommended unless you have a very specific need for them, because correct use of them is not very intuitive. If you do want to use a SRV record, please study the specification which makes it very explicit which TLS certificate must be presented.

I'm going to go ahead and close this issue for now. If you still consider there to be a bug, please provide a test domain which exhibits the faulty behaviour.

merspieler commented 7 months ago

I'd consider the spec faulty... cause it doesn't work with an SNI proxy... broken as intended ig.