Insecure HTTP client not happy with a self-signed certificate

tadzik commented 2 years ago

Description

Enabling the use_insecure_ssl_client_just_for_testing_do_not_use config file option doesn't stop SimpleHttpClient (used in the OIDC handler in my case) from failing to connect to host. It also fails with a 504 which is its way of saying "invalid certificate", which is a bug on its own, but possibly not related.

Steps to reproduce

set up an OIDC provider that uses a self-signed SSL certificate
try to start up synapse
observe how it fails to start due to RequestTimedOutError

With use_insecure_ssl_client_just_for_testing_do_not_use enabled, I'd expect to have a normal interaction even with an untrusted server.

Version information

Homeserver: locally hosted instance
Version: develop as of the time of filing this issue, git describe --tags being v1.39.0rc2-736-g1d8b80b33
Install method: N/A
Platform: Pop_OS 21.04, no VMs or containers

dklimpel commented 2 years ago

I did a test with Synapse 1.47.1. I cannot reproduce it.

I set up a OIDC provider:

oidc_providers:
  - idp_id: my_idp
    idp_name: "My OpenID provider"
    discover: true
    issuer: "https://localhost:9999/"
    client_id: "provided-by-your-issuer"
    client_secret: "provided-by-your-issuer"
    client_auth_method: client_secret_post

The result in Synapse log is

2021-11-30 14:41:52,937 - synapse.http.client - 398 - DEBUG - sentinel - Sending request GET https://localhost:9999/.well-known/openid-configuration
2021-11-30 14:41:53,055 - synapse.handlers.deactivate_account - 215 - INFO - user_parter_loop-0 - User parter finished: stopping
2021-11-30 14:41:53,061 - synapse.http.client - 452 - INFO - sentinel - Error sending request to  GET https://localhost:9999/.well-known/openid-configuration: RequestTimedOutError 504: Timeout waiting for response from remote server
2021-11-30 14:41:53,062 - synapse.app._base - 215 - CRITICAL - sentinel - Error during startup
Traceback (most recent call last):
  File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/synapse/handlers/oidc.py", line 119, in load_metadata
    await p.load_metadata()
  File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/synapse/handlers/oidc.py", line 435, in load_metadata
    return await self._provider_metadata.get()
  File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/synapse/util/caches/cached_call.py", line 135, in get
    return await self._cachedcall.get()
  File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/synapse/util/caches/cached_call.py", line 105, in get
    self._result.raiseException()
  File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/twisted/python/failure.py", line 475, in raiseException
    raise self.value.with_traceback(self.tb)
  File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/twisted/internet/defer.py", line 1657, in _inlineCallbacks
    result = current_context.run(
  File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/twisted/python/failure.py", line 500, in throwExceptionIntoGenerator
    return g.throw(self.type, self.value, self.tb)
  File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/synapse/util/caches/cached_call.py", line 125, in _wrapper
    return await f()
  File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/synapse/handlers/oidc.py", line 447, in _load_metadata
    metadata_response = await self._http_client.get_json(url)
  File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/synapse/http/client.py", line 588, in get_json
    body = await self.get_raw(uri, args, headers=headers)
  File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/synapse/http/client.py", line 673, in get_raw
    response = await self.request("GET", uri, headers=Headers(actual_headers))
  File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/synapse/http/client.py", line 440, in request
    response = await make_deferred_yieldable(request_deferred)
  File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/twisted/internet/defer.py", line 858, in _runCallbacks
    current.result = callback(  # type: ignore[misc]
  File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/synapse/http/client.py", line 756, in _timeout_to_request_timed_out_error
    raise RequestTimedOutError("Timeout waiting for response from remote server")
synapse.http.RequestTimedOutError: 504: Timeout waiting for response from remote server

Then I have set: use_insecure_ssl_client_just_for_testing_do_not_use: true

I get a connection now:

2021-11-30 14:44:38,004 - synapse.http.client - 398 - DEBUG - sentinel - Sending request GET https://localhost:9999/.well-known/openid-configuration
2021-11-30 14:44:38,142 - synapse.handlers.deactivate_account - 215 - INFO - user_parter_loop-0 - User parter finished: stopping
2021-11-30 14:44:38,147 - synapse.http.client - 443 - INFO - sentinel - Received response to GET https://localhost:9999/.well-known/openid-configuration: 404

It results in a 404 error as it is only a dummy server. No real IdP, but Synapse did a connection with an invalid cert.

curl https://localhost:9999
curl: (60) SSL: no alternative certificate subject name matches target host name 'localhost'

MatthieuBarthel commented 2 years ago

I had this issue and tried use_insecure_ssl_client_just_for_testing_do_not_use: true without success with latest v1.51.0 (this setting is not present in my generated config file).

For anyone having a custom CA, it's simple and more secure to pass your custom CA via an environment variable SSL_CERT_FILE=/path/to/MyCustomCA.crt

Quadrubo commented 1 year ago

Any update on this? I also tried @MatthieuBarthel suggestion which didn't work. I'm using Docker and also edited my dockerfile to add the root certificate to the keystore which also changed nothing.

matrix-org / synapse