Reads the certificate from the domain and not the host

[peterhoeg]

On a configuration with both SRV and .well-known set up, the tester should return the correct information for both delegation mechanisms. It looks like it basically reads the cert from the wrong server.

What happened:

1. Running https://federationtester.matrix.org/api/report?server_name=hoeg.com, I am given errors about using the wrong certificate "x509: certificate is valid for hoeg.com, not matrix.hoeg.com"

2. Using testssl.sh, I can see the correct certificate:

   testssl.sh https://matrix.hoeg.com:8448
   <snip>
   Common Name (CN)             matrix.hoeg.com
   subjectAltName (SAN)         matrix.hoeg.com

Further to #61

[richvdh]

On a configuration with both SRV and .well-known set up, the tester should return the correct information for both delegation mechanisms.

This sounds like a duplicate of #37.

In your case, the federation tester is correctly showing that your server is misconfigured, and is presenting a (self-signed) certificate for hoeg.com rather than matrix.hoeg.com. This will not work once other servers in the federation update to Synapse 1.0.

I'm afraid I'm not familiar with testssl.sh. Using openssl s_client:

$ openssl s_client -connect matrix.hoeg.com:8448 -servername matrix.hoeg.com
CONNECTED(00000003)
depth=0 CN = hoeg.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = hoeg.com
verify return:1
---
Certificate chain
 0 s:/CN=hoeg.com
   i:/CN=hoeg.com
---
...

[peterhoeg]

Apologies, my mistake.