Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use CA-signed TLS keys for testing #621

Merged
merged 7 commits into from
Jun 6, 2019
Merged

Conversation

richvdh
Copy link
Member

@richvdh richvdh commented Jun 5, 2019

Now that synapse requires real certs, we should present real certs.

We could just turn off the cert validation in synapse, but it seems nicer
to use a fake CA.

The CA key/cert were generated with:

openssl genrsa -out ca.key 2048
openssl req -new -x509 -key ca.key -days 3650 -out ca.crt

We could generate the CA cert and key dynamically, but it's easier to store
them.

richvdh added 5 commits June 5, 2019 16:31
Now that synapse requires real certs, we should present real certs.

We could just turn off the cert validation in synapse, but it seems nicer to
use a fake CA.

The CA key/cert were generated with:

    openssl genrsa -out ca.key 2048
    openssl req -new -x509 -key ca.key -days 3650 -out ca.crt

We could generate them dynamically, but it's easier to store them.
tls_private_key_path => $self->{paths}{key_file},
federation_custom_ca_list => [
"$cwd/keys/ca.crt",
],
use_insecure_ssl_client_just_for_testing_do_not_use => 1,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we not turn this off then? Or what? I'm a bit confused about what has real certs and what doesn't.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this setting controls synapse's 'simple http client', which is used for non-federation requests, including (it turns out) some to IS servers. There's no way to set a custom CA for that, hence the setting.

This should probably be in a comment in the sytest code...

@richvdh richvdh merged commit 5662319 into develop Jun 6, 2019
@richvdh richvdh deleted the rav/enable_tls_verification branch June 6, 2019 09:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants