PascalLG/nubo-hs

TLS not working without certificate

Opened this issue · 3 comments

Protonotarios commented

Great app but when I tried to init over https I got the following error:
error: unexpected error (InternalException (HandshakeFailed (Error_Protocol ("certificate rejected: [NameMismatch \"my.server.tlg\"]",True,CertificateUnknown))))

Given that most users will use TLS, clearly for its encryption feature and not so much for certification (since this is a self-hosted app that runs on one's own server), TLS should be working regardless of the existence or not of a certificate.

You may consider this as a feature request, So, please, fix this and make it work because I think no serious user would want to sync over plain http. You may put an extra warning if you wish and force the user to acknowledge before continuing.

PascalLG commented

TLS is supported and you already get an extra warning if you try to initialise over HTTP.

What OS are you running? I noticed this kind of error sometimes, when running nubo on Windows 10. The workaround is to open once your server URL with Edge. I guess this is necessary for Windows to add the certificate to the list of trusted certificates.

Protonotarios commented

Thanks for the fast response!
When I filed this report I had tried it in Linux Mint 17.3, Win 7 and 8.1. Then, after your reply, I tried also in Mint 18.3 and Win 10 and did the Edge trick too. Always the same error.
Then I realised I wasn't very accurate in my initial report. I thought there was no certificate in my server but apparently there is one. I use Media Temple shared hosting and it seems there is a certificate installed named "gridserver.com" owned by GoDaddy (parent company of Media Temple), which obviously is not my domain name. That's why the error message says NameMismatch.
So far I hadn't had a problem with that because it can be easily overridden in any major browser.
So I think nubo should give you this option too instead of an error.

PascalLG commented

I'm no TLS expert but it seems to me that you cannot configure TLS without having a certificate on the server side, and that disabling certificate validation on the client side weakens security a lot. So I'm not sure this is a good feature.

I'm adding it to my backlog though. I'll investigate to see what's possible with the TLS library I use in nubo.

Thanks for your report!