Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

private CA not supported for ntfy Unified Push #3981

Open
ne20002 opened this issue Dec 2, 2024 · 7 comments
Open

private CA not supported for ntfy Unified Push #3981

ne20002 opened this issue Dec 2, 2024 · 7 comments
Labels
T-Defect Something isn't working: bugs, crashes, hangs and other reported problems

Comments

@ne20002
Copy link

ne20002 commented Dec 2, 2024
edited
Loading

Steps to reproduce

  1. Create a private CA authority
  2. Create a certificate for the ntfy server
  3. Add the root certificate of the private CA as trusted user/private CA to Android
  4. In Element-X test notification settings

Outcome

What did you expect?

The certificate of the ntfy server shall be accepted.

What happened instead?

An error occurs:

Fail to check the gateway
https://ntfy.mydomain/_matrix/push/v1/notify:
java.security.cert.CertPathValidatorException: Trust anchor for certification path not found

For this seems like a coding/configuration problem. Firefox also does not accept private CAs by default but has an option to allow check against private CA certificates (security.enterprise_roots.enabled).

If I replace the certificate on the ntfy server with one signed by letsencrypt everything works well. Also, certificates of the private CA are accepted by Firefox.

Your phone model

Samsung S10e

Operating system version

/e/OS 2.5

Application version and app store

0.7.4 f-droid

Homeserver

private synapse 1.120

Will you send logs?

No

Are you willing to provide a PR?

No
@ne20002 ne20002 added the T-Defect Something isn't working: bugs, crashes, hangs and other reported problems label Dec 2, 2024
@spaetz
Copy link

spaetz commented Dec 5, 2024

Question to developers: Currently the push test does not touch the home server at all, right? EXA directly contacts https://ntfy.mydomain/_matrix/push/v1/notify so it does not really test whether e.g. the homeserver can contact the push server.
If that were fixed properly, to really conduct a push, EXA would never have the need to directly talk to the ntfy.sh server and this issue were moot.
Is my understanding correct here?

@bmarty
Copy link
Member

bmarty commented Dec 5, 2024

Yes, the push loop back test does not involve the homeserver. That's why the test can fail in the case ElementX cannot talk to the ntfy server (such as certificat issue for instance), and Event notification can work if the homeserver can talk to the ntfy server.

The push loop back test actually checks that the link ntfy server -> EX is OK. The link EX -> ntfy server is just used for the test.

@ne20002
Copy link
Author

ne20002 commented Dec 5, 2024

Still, would it be possible to include the installed private CA certificates in the check for the test?

@spaetz
Copy link

spaetz commented Dec 5, 2024

nope, not without overriding android settings, which would defy the purpose of testing a (secure) and working connection.

@ne20002
Copy link
Author

ne20002 commented Dec 6, 2024

I don't get it, sorry. It is an Android feature to add private CA certificates. How is making use of such a feature, which btw should be on by default IMHO, defy testing for a secure connection?

@spaetz
Copy link

spaetz commented Dec 6, 2024
edited
Loading

Let me explain my thinking: Disclaimer, I am not an Element developer, so my thoughts could well be wrong.

Typically, EXA NEVER establishes a direct connection to the UnifiedPush server, it only every does so when testing the push connection, by shortcutting a bit of the push path. Specifically, it does not involve the homeserver sending anything to the UnifiedPush matrix gateway. So, allowing private CAs in EXA would ONLY EVER have an effect when testing the push feature in the settings screen, never in real life.

Who NEEDS to accept the private CA certificate of UnifiedPush server is a) the matrix homeserver and b) the UP distributor app on your phone, which is not under Element's control at all. It could be the ntfy app, it could be conversations app, it could be the NextPush app, or any other app. EXA could never verify or guarantee that THIS app is accepting the user's private CA certs, which it would need to. With the current implementation, EXA could also never guarantee that the user's homeserver actually accepts the private CA cert of a UnifiedPush server.

Good luck in convincing matrix.org to have their server accept arbitrary and private CA certs of user-configured UnifiedPush servers. If you had EXA allow private CAs, people would come and complain that they suddenly stop getting notifications from their @matrix.org accounts. So, by allowing private CA certs in EXA, you would make some setups work in push testing would could likely fail in real life settings, because it is the ntfy app (or whatever distributor app you are running) that needs to really accept it, as well as your homeserver.

Hope that clarifies things up a bit, and I am happy to be corrected in case I misunderstood things.

@ne20002
Copy link
Author

ne20002 commented Dec 6, 2024

OK, I understand the concerns regarding matrix.org dealing with other ntfy servers. But I don't see this as a point here.

I have my own private CA and run my own synapse and ntfy server. All clients are part of the internal network.
It is also very common for companies to use their own CA. Not allowing this feels wrong.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
T-Defect Something isn't working: bugs, crashes, hangs and other reported problems
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@spaetz @bmarty @ne20002