search

matrix-org / matrix-federation-tester

Tester for matrix federation written in golang.
81 stars 17 forks source link

Federation Tester complains about invalid certs when using SRV to an IP address #39

Closed anoadragon453 closed 5 years ago

anoadragon453 commented 5 years ago

If a server is using an SRV record that leads to an IP address and that IP address is not included in the target server's federation TLS certificate, then the certificate gets marked as valid even if example.com is included (it's a case of trying and failing to validate xx.xx.xx.xx:8448 vs. example.com:8448).

I'm of the mind that we should still fail, but use the new errors output to say that this is the case and that people should move to .well-known.

richvdh commented 5 years ago

then the certificate gets marked as valid even if example.com is included

this sounds like correct behaviour?

people should move to .well-known.

The idea is that a .well-known is normally unnecessary and you should just use the right cert

anoadragon453 commented 5 years ago

LetsEncrypt doesn't seem to set up an IP address into the cert by default though.

richvdh commented 5 years ago

Indeed, certificates don't usually include an IP address, but that shouldn't matter as we should check for the original server name, not the target.

then the certificate gets marked as valid even if example.com is included

Did you mean invalid?

There is a separate problem with IP addresses: I don't think it is valid for a SRV to point to an IP address. You might want to check that though.

richvdh commented 5 years ago

@anoadragon453 I'm still very confused about what this issue is talking about.

anoadragon453 commented 5 years ago

This issue spawned as a configuration error as part of @benparsons' server, which afaik used the community Ansible playbook (which may need to be adjusted to not set the SRV record to an IP address).

As SRV cannot be an IP address, this makes this whole issue moot.

spantaleev commented 5 years ago

The matrix-docker-ansible-deploy playbook doesn't set SRV records on people's behalf.

In its Configuring DNS, we do advise people to set a SRV record (before Synapse v1.0, at least), but it references a matrix.<domain> host, never an IP address.

So.. it's interesting exactly what happened and how.

compgeniuses commented 2 years ago

so, no solution was found for this issue.