search

matrix-org / matrix-federation-tester

Tester for matrix federation written in golang.
78 stars 17 forks source link

SRV record causes certificate check against domain name, not host name #61

Closed nakal closed 5 years ago

nakal commented 5 years ago

When using a SRV entry for domain, the certificate check fails, because it expects the domain name to match instead of the host name, it connected to.

What happens

For:

_matrix._tcp.example.com. 3600 IN   SRV 10 0 8448 matrix.example.com.

The tester connects to matrix.example.com but checks for certificate for example.com.

What I expect

The tester connects to matrix.example.com and checks for certificate for matrix.example.com.

It is not only impracticable to use the main domain (causes a lots of problems with automatically issued certificates), it also differs from the behavior that occurs with the .well-known entry on web server hosting on example.com:

{"m.server": "matrix.exaple.com:8448"}
richvdh commented 5 years ago

this is specced behaviour. https://github.com/matrix-org/matrix-doc/blob/master/proposals/1711-x509-for-federation.md#interaction-with-srv-records.

nakal commented 5 years ago

Ah, I understand. This is still really confusing. I realize, I cannot use SRV records for my scenario, even the federation docs recommend it. The .well-known way is my solution here.