Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use CA-signed TLS keys for testing #621

Merged
merged 7 commits into from
Jun 6, 2019
Merged

Use CA-signed TLS keys for testing #621

merged 7 commits into from
Jun 6, 2019

Conversation

richvdh
Copy link
Member

@richvdh richvdh commented Jun 5, 2019

Now that synapse requires real certs, we should present real certs.

We could just turn off the cert validation in synapse, but it seems nicer
to use a fake CA.

The CA key/cert were generated with:

openssl genrsa -out ca.key 2048
openssl req -new -x509 -key ca.key -days 3650 -out ca.crt

We could generate the CA cert and key dynamically, but it's easier to store
them.

@richvdh
Use CA-signed TLS keys for testing
64169dd 
Now that synapse requires real certs, we should present real certs.

We could just turn off the cert validation in synapse, but it seems nicer to
use a fake CA.

The CA key/cert were generated with:

    openssl genrsa -out ca.key 2048
    openssl req -new -x509 -key ca.key -days 3650 -out ca.crt

We could generate them dynamically, but it's easier to store them.
@richvdh
Use a CA-signed cert for the test server too
25eedec
@richvdh
missing file
814cdc1
@richvdh
Merge remote-tracking branch 'origin/develop' into rav/enable_tls_ver…
2ec41b6 
…ification
@richvdh
remove dead key/cert files
6497a8a
@richvdh richvdh requested a review from a team June 5, 2019 21:58
@richvdh richvdh mentioned this pull request Jun 5, 2019
Merged
erikjohnston
erikjohnston reviewed Jun 6, 2019
View reviewed changes
lib/SyTest/Homeserver/Synapse.pm
tls_private_key_path => $self->{paths}{key_file},
federation_custom_ca_list => [
"$cwd/keys/ca.crt",
],
use_insecure_ssl_client_just_for_testing_do_not_use => 1,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we not turn this off then? Or what? I'm a bit confused about what has real certs and what doesn't.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this setting controls synapse's 'simple http client', which is used for non-federation requests, including (it turns out) some to IS servers. There's no way to set a custom CA for that, hence the setting.

This should probably be in a comment in the sytest code...

@richvdh richvdh merged commit 5662319 into develop Jun 6, 2019
@richvdh richvdh deleted the rav/enable_tls_verification branch June 6, 2019 09:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@erikjohnston erikjohnston erikjohnston approved these changes

Assignees
No one assigned
Labels
Synapse v1.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@richvdh @erikjohnston