-
Notifications
You must be signed in to change notification settings - Fork 166
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
private CA not supported for ntfy Unified Push #3981
Comments
Question to developers: Currently the push test does not touch the home server at all, right? EXA directly contacts https://ntfy.mydomain/_matrix/push/v1/notify so it does not really test whether e.g. the homeserver can contact the push server. |
Yes, the push loop back test does not involve the homeserver. That's why the test can fail in the case ElementX cannot talk to the The push loop back test actually checks that the link |
Still, would it be possible to include the installed private CA certificates in the check for the test? |
nope, not without overriding android settings, which would defy the purpose of testing a (secure) and working connection. |
I don't get it, sorry. It is an Android feature to add private CA certificates. How is making use of such a feature, which btw should be on by default IMHO, defy testing for a secure connection? |
Let me explain my thinking: Disclaimer, I am not an Element developer, so my thoughts could well be wrong. Typically, EXA NEVER establishes a direct connection to the UnifiedPush server, it only every does so when testing the push connection, by shortcutting a bit of the push path. Specifically, it does not involve the homeserver sending anything to the UnifiedPush matrix gateway. So, allowing private CAs in EXA would ONLY EVER have an effect when testing the push feature in the settings screen, never in real life. Who NEEDS to accept the private CA certificate of UnifiedPush server is a) the matrix homeserver and b) the UP distributor app on your phone, which is not under Element's control at all. It could be the ntfy app, it could be conversations app, it could be the NextPush app, or any other app. EXA could never verify or guarantee that THIS app is accepting the user's private CA certs, which it would need to. With the current implementation, EXA could also never guarantee that the user's homeserver actually accepts the private CA cert of a UnifiedPush server. Good luck in convincing matrix.org to have their server accept arbitrary and private CA certs of user-configured UnifiedPush servers. If you had EXA allow private CAs, people would come and complain that they suddenly stop getting notifications from their @matrix.org accounts. So, by allowing private CA certs in EXA, you would make some setups work in push testing would could likely fail in real life settings, because it is the ntfy app (or whatever distributor app you are running) that needs to really accept it, as well as your homeserver. Hope that clarifies things up a bit, and I am happy to be corrected in case I misunderstood things. |
OK, I understand the concerns regarding matrix.org dealing with other ntfy servers. But I don't see this as a point here. I have my own private CA and run my own synapse and ntfy server. All clients are part of the internal network. |
Steps to reproduce
Outcome
What did you expect?
The certificate of the ntfy server shall be accepted.
What happened instead?
An error occurs:
For this seems like a coding/configuration problem. Firefox also does not accept private CAs by default but has an option to allow check against private CA certificates (security.enterprise_roots.enabled).
If I replace the certificate on the ntfy server with one signed by letsencrypt everything works well. Also, certificates of the private CA are accepted by Firefox.
Your phone model
Samsung S10e
Operating system version
/e/OS 2.5
Application version and app store
0.7.4 f-droid
Homeserver
private synapse 1.120
Will you send logs?
No
Are you willing to provide a PR?
No
The text was updated successfully, but these errors were encountered: