Skip to content

Use CA-signed TLS keys for testing#621

Merged
richvdh merged 7 commits intodevelopfrom
rav/enable_tls_verification
Jun 6, 2019
Merged

Use CA-signed TLS keys for testing#621
richvdh merged 7 commits intodevelopfrom
rav/enable_tls_verification

Conversation

@richvdh
Copy link
Member

@richvdh richvdh commented Jun 5, 2019

Now that synapse requires real certs, we should present real certs.

We could just turn off the cert validation in synapse, but it seems nicer
to use a fake CA.

The CA key/cert were generated with:

openssl genrsa -out ca.key 2048
openssl req -new -x509 -key ca.key -days 3650 -out ca.crt

We could generate the CA cert and key dynamically, but it's easier to store
them.

richvdh added 5 commits June 5, 2019 16:31
@richvdh
Use CA-signed TLS keys for testing
64169dd 
Now that synapse requires real certs, we should present real certs.

We could just turn off the cert validation in synapse, but it seems nicer to
use a fake CA.

The CA key/cert were generated with:

    openssl genrsa -out ca.key 2048
    openssl req -new -x509 -key ca.key -days 3650 -out ca.crt

We could generate them dynamically, but it's easier to store them.
@richvdh
Use a CA-signed cert for the test server too
25eedec
@richvdh
missing file
814cdc1
@richvdh
Merge remote-tracking branch 'origin/develop' into rav/enable_tls_ver…
2ec41b6 
…ification
@richvdh
remove dead key/cert files
6497a8a
@richvdh richvdh requested a review from a team June 5, 2019 21:58
@richvdh richvdh mentioned this pull request Jun 5, 2019
Merged
erikjohnston
erikjohnston reviewed Jun 6, 2019
View reviewed changes
lib/SyTest/Homeserver/Synapse.pm
federation_custom_ca_list => [
"$cwd/keys/ca.crt",
],
use_insecure_ssl_client_just_for_testing_do_not_use => 1,
Copy link
Member

@erikjohnston erikjohnston Jun 6, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we not turn this off then? Or what? I'm a bit confused about what has real certs and what doesn't.

Copy link
Member Author

@richvdh richvdh Jun 6, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this setting controls synapse's 'simple http client', which is used for non-federation requests, including (it turns out) some to IS servers. There's no way to set a custom CA for that, hence the setting.

This should probably be in a comment in the sytest code...

@richvdh richvdh merged commit 5662319 into develop Jun 6, 2019
@richvdh richvdh deleted the rav/enable_tls_verification branch June 6, 2019 09:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@erikjohnston erikjohnston erikjohnston approved these changes

Assignees

No one assigned

Labels

Synapse v1.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@richvdh @erikjohnston