Closed anoadragon453 closed 5 years ago
richvdh
commented
5 years ago I'm failing to grok what's going on here. It looks like we'll accept a cert for either the original server name or the target of the SRV record? That's incorrect if so - the cert must match the original server name even if the SRV record points elsewhere.
richvdh
commented
5 years ago In fact wait. It doesn't even seem to be checking the targets of the SRV record. It seems to be checking that the names in the cert match... the names in the cert?
anoadragon453
commented
5 years ago Err, it certainly produces true and false correctly on the addresses I've tested, but I am not sure if this produces false positives.
/me does more research
anoadragon453
commented
5 years ago Doesn't seem like this is necessary anymore.
The valid certification checker would not work properly if you were using SRV instead of well-known. We know do a well-known check -> SRV check -> certificate check. The previous method skipped the result of the SRV check in the certificate check.
We're now passing multiple domain names to the cert checker, and if any of them succeed report that certs are working. This seems like a working solution? Not sure if there's any edge case where this causes a false positive but open to feedback :)
Paired with: https://github.com/matrix-org/gomatrixserverlib/pull/111