-
Notifications
You must be signed in to change notification settings - Fork 378
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MSC1711: X.509 certificate verification for federation connections #1711
Conversation
This generally looks good to me, although it's a bit sad that people who have got used to self-signed certs magically working (like me on arasphere) will be forced to pull their LE lives together. Is there any way to (optionally) fall back to tofu when you see a self-signed cert? (asking somewhat rhetorically, given it feels it makes it too easy for an attacker to MITM new connections to servers via a self-signed cert) |
related #1685 |
This really belongs in MSC1708.
Team member @richvdh has proposed to merge this. The next step is review by the rest of the tagged teams: No concerns currently listed. Once a majority of reviewers approve (and none object), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up! See this document for info about what commands tagged team members can give me. |
🔔 This is now entering its final comment period, as per the review above. 🔔 |
The final comment period, with a disposition to merge, as per the review above, is now complete. |
Original proposals: * #1708 (note: the JSON requirements were softened by #1824) * #1711 Implementation proofs: * matrix-org/synapse#4489 * No explicit PRs for MSC1711 could be found, however Synapse is known to implement it. There are no intentional changes which differ from the proposals in this commit, however the author has relied upon various historical conversations outside of the proposals to gain the required context. Inaccuracies introduced by the author are purely accidental.
when using an SRV DNS record to point to, let's say example.com, does it mean that 'example.com' needs to be include in the list of subjectAltNames in the certificate ? |
@mherrb You will want to either have your server name in your DNS SANs, or have a .well-known record pointing to the other server. https://github.com/matrix-org/synapse/blob/master/docs/MSC1711_certificates_FAQ.md has more info on what you can do. |
Thanks. |
This is merged via #1830 |
Rendered