Closed irl closed 2 years ago
This looks like openssl is unhappy about your certificate. I don't think it's a problem with Sygnal as such.
https://stackoverflow.com/a/52220373/5252017 looks promising. The author there writes:
You may need to regenerate the certificate and use a stronger hash to sign, for example SHA1.
the problem here is that the cert is generated by Apple :/
the problem here is that the cert is generated by Apple :/
Yes, we generated a brand new certificate to make sure we're not using one generated with older parameters but still getting the same issue. It might not be a problem with Sygnal specifically, but does affect the Sygnal docker image which I believe is built from this repository, so I think this issue is in the right place.
Assuming we're happy with people using these certificates, we can fix this by configuring OpenSSL's security level to be level 1
rather than 2
.
This involves editing this part of /etc/ssl/openssl.cnf
:
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2
I believe this can also be configured in Sygnal code (IIRC you can specify it when configuring the list of allowed ciphers), but I'm not sure that's the right solution here.
Assuming we're happy with people using these certificates, we can fix this by configuring OpenSSL's security level to be level
1
rather than2
.
Yeah, if we can do this for the Docker image then the issue should resolve itself. I'm happy to test it out as soon as a build is available as I'm blocking on this for a project.
but I'm not sure that's the right solution here.
Yeah, it sounds like using a JWT key might be a better solution than a client cert.
In the meantime, it might be good to update openssl.cnf
in the docker image.
Let's do the one line change in then openssl conf for now and figure out how to support JWTs later. (I'll file a separate bug)
@irl are you happy to try token-based (JWT) authentication?
Instead of specifying a certfile
, you would need to specify (copied from the README):
I would hope it's easy to find these from Apple?
We believe JWT-based authentication, which is supported by Sygnal for APNS, is a reasonable alternative, and preferable to downgrading the security level of OpenSSL in our container.
@irl: If it is not possible for you to use JWTs, please reply with why and we can re-open this issue and fix it.
Describe the bug A freshly signed dev APNS certificate causes a crash with openssl error below.
To Reproduce Steps to reproduce the behavior:
Expected behavior Certificate is accepted.
Screenshots
Similar issues: