Closed alexte closed 5 years ago
alexte
commented
5 years ago I tested the source now and found that two more changes where necessary for the .well-known handling
1) pulling the certificate should be done with the resolved host:port from well-known 2) cert should be checked with host from well-known without port
This patch solved the the cert check for me, I hope it doesn't break the check for others. (never programmed go before)
richvdh
commented
5 years ago I think this duplicates the work in https://github.com/matrix-org/gomatrixserverlib/pull/109.
alexte
commented
5 years ago The main part in this patch is the ServerHost should be checked instead of then ServerName (eg matrix.mail.at and not mail.at) in the isValidCert, and I stripped the port in the calling function and not in the isValidCertificate function, isValidCertificate shouldn't care about port nummber IMHO And I used the builtin go funtion to strip the port part.
richvdh
commented
5 years ago I don't think this PR is relevant any more
alexte
commented
5 years ago The bug is still present in https://matrix.org/federationtester/api/report?server_name=mail.at
alexte
commented
5 years ago I updated the patch. But take care this patch does not work without the new matrixlib that strips the port part in IsValidCertificate
anoadragon453
commented
5 years ago @richvdh Simply gb vendor update github.com/matrix-org/gomatrixserverlib
https://matrix.org/docs/spec/server_server/r0.1.1.html says correctly that a delegated host for a domain must provide a valid cert for the delegated hostname and not the domein. Sorry but I couldn't test this patch.