Open tadzik opened 2 years ago
I did a test with Synapse 1.47.1. I cannot reproduce it.
I set up a OIDC provider:
oidc_providers:
- idp_id: my_idp
idp_name: "My OpenID provider"
discover: true
issuer: "https://localhost:9999/"
client_id: "provided-by-your-issuer"
client_secret: "provided-by-your-issuer"
client_auth_method: client_secret_post
The result in Synapse log is
2021-11-30 14:41:52,937 - synapse.http.client - 398 - DEBUG - sentinel - Sending request GET https://localhost:9999/.well-known/openid-configuration
2021-11-30 14:41:53,055 - synapse.handlers.deactivate_account - 215 - INFO - user_parter_loop-0 - User parter finished: stopping
2021-11-30 14:41:53,061 - synapse.http.client - 452 - INFO - sentinel - Error sending request to GET https://localhost:9999/.well-known/openid-configuration: RequestTimedOutError 504: Timeout waiting for response from remote server
2021-11-30 14:41:53,062 - synapse.app._base - 215 - CRITICAL - sentinel - Error during startup
Traceback (most recent call last):
File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/synapse/handlers/oidc.py", line 119, in load_metadata
await p.load_metadata()
File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/synapse/handlers/oidc.py", line 435, in load_metadata
return await self._provider_metadata.get()
File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/synapse/util/caches/cached_call.py", line 135, in get
return await self._cachedcall.get()
File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/synapse/util/caches/cached_call.py", line 105, in get
self._result.raiseException()
File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/twisted/python/failure.py", line 475, in raiseException
raise self.value.with_traceback(self.tb)
File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/twisted/internet/defer.py", line 1657, in _inlineCallbacks
result = current_context.run(
File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/twisted/python/failure.py", line 500, in throwExceptionIntoGenerator
return g.throw(self.type, self.value, self.tb)
File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/synapse/util/caches/cached_call.py", line 125, in _wrapper
return await f()
File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/synapse/handlers/oidc.py", line 447, in _load_metadata
metadata_response = await self._http_client.get_json(url)
File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/synapse/http/client.py", line 588, in get_json
body = await self.get_raw(uri, args, headers=headers)
File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/synapse/http/client.py", line 673, in get_raw
response = await self.request("GET", uri, headers=Headers(actual_headers))
File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/synapse/http/client.py", line 440, in request
response = await make_deferred_yieldable(request_deferred)
File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/twisted/internet/defer.py", line 858, in _runCallbacks
current.result = callback( # type: ignore[misc]
File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/synapse/http/client.py", line 756, in _timeout_to_request_timed_out_error
raise RequestTimedOutError("Timeout waiting for response from remote server")
synapse.http.RequestTimedOutError: 504: Timeout waiting for response from remote server
Then I have set:
use_insecure_ssl_client_just_for_testing_do_not_use: true
I get a connection now:
2021-11-30 14:44:38,004 - synapse.http.client - 398 - DEBUG - sentinel - Sending request GET https://localhost:9999/.well-known/openid-configuration
2021-11-30 14:44:38,142 - synapse.handlers.deactivate_account - 215 - INFO - user_parter_loop-0 - User parter finished: stopping
2021-11-30 14:44:38,147 - synapse.http.client - 443 - INFO - sentinel - Received response to GET https://localhost:9999/.well-known/openid-configuration: 404
It results in a 404 error as it is only a dummy server. No real IdP, but Synapse did a connection with an invalid cert.
curl https://localhost:9999
curl: (60) SSL: no alternative certificate subject name matches target host name 'localhost'
I had this issue and tried use_insecure_ssl_client_just_for_testing_do_not_use: true
without success with latest v1.51.0 (this setting is not present in my generated config file).
For anyone having a custom CA, it's simple and more secure to pass your custom CA via an environment variable SSL_CERT_FILE=/path/to/MyCustomCA.crt
Any update on this? I also tried @MatthieuBarthel suggestion which didn't work. I'm using Docker and also edited my dockerfile to add the root certificate to the keystore which also changed nothing.
Description
Enabling the
use_insecure_ssl_client_just_for_testing_do_not_use
config file option doesn't stop SimpleHttpClient (used in the OIDC handler in my case) from failing to connect to host. It also fails with a 504 which is its way of saying "invalid certificate", which is a bug on its own, but possibly not related.Steps to reproduce
RequestTimedOutError
With
use_insecure_ssl_client_just_for_testing_do_not_use
enabled, I'd expect to have a normal interaction even with an untrusted server.Version information
develop
as of the time of filing this issue,git describe --tags
beingv1.39.0rc2-736-g1d8b80b33