Add a way to trust self-signed certs about element-desktop HOT 27 OPEN

Certainly we can't do this in the in-browser app, as it's very much up to the browser.

I doubt we can do it for the electron app either, but maybe @dbkr knows differently.

At the end of the day, Letsencrypt is a thing, and probably a better solution than self-signed certs anyway.

from element-desktop.

I can work around this issue by adding --ignore-certificate-errors when starting riot-web.

from element-desktop.

Hi,

are there any news on this topic. We need that feature for our intern matrix server. We don't have the server connected to the internet so Let's Encrypt is no option.

Regards Martin

from element-desktop.

Same here! Please add an option to import own CAs!

from element-desktop.

I also have this problem. Let's encrypt is not an option for me (DS-Lite and DynDNS problems).

from element-desktop.

As mentioned in matrix-org/synapse#5152 (comment), to connect with my .onion hs I need to run Element Desktop version 1.11.30 with --ignore-certificate-errors parameter. The same HS run with Element Web (on element.io) connects without sweat, although the browser (Chrome) turns the padlock icon red as "your connection to this site is not secure", which I accept as Tor provides another means for privacy.

Firstly, I would much more prefer a relevant option in config.json to either ignore certificate checks completely or create a whitelist of trusted hosts about which electron should not make fuss if a self-signed certificate is presented.

Eventually, I would also like self-signed certificates to simply be acknowledged and handled favorably. Please also note, that on Element Android, when a non-trusted certificate is presented by the server, the client simply asks the user whether it should be accepted. Seems only plausible to expect a similar user experience on both platforms.

from element-desktop.

This might help: http://electron.atom.io/docs/api/app/#event-certificate-error

So it'd be possible to subscribe to that event and then, well, either verify it or not, based on user input

from element-desktop.

Hello, im not too sure where the code for that would go i tried editing it into the main.js but when i do the console no longer shows the insecure error but it still shows the trusted error on the main app.

from element-desktop.

Nevermind i gave lets encrypt a go and it worked out beautifully.

from element-desktop.

@tschopo what OS?

from element-desktop.

Ubuntu 16.04

from element-desktop.

Linux is the difficult one in this case sadly

from element-desktop.

why is that?

from element-desktop.

because for Windows and Mac electron supports firing the System UI for trusting certificates. For Linux we would need to write our own code for that

from element-desktop.

Just tried under windows 8.1. Here there is also no way to trust the certificate.

from element-desktop.

I didn't say its being called. I'm saying it CAN be, its a feature of Electron, for Linux it doesn't support it so would require a lot more work. In Windows/Mac you can trust it using the OS System settings and it'll work anyway, in Linux I don't think thats guaranteed to work

from element-desktop.

It's probably more likely blocked on upstream support

from element-desktop.

I cant use the Windows Desktop 0.17.3 because of self signed certificate warning. the --ignore-certificate-errors does not Work with Windows. How can we use the beta riot Windows Client with self signed certificates?

from element-desktop.

Trust the cert in a browser / the os itself

from element-desktop.

By OS may be working but why in 'a' browser? There should be no link between Firefox (for example) and the Windows App. I should also working like the android App to trust easily self signed certificates.

from element-desktop.

Browsers should add it to Windows certificate store which the chromium engine inside the windows app will read from

from element-desktop.

No. FF for Example has its own certificates management and nothing to do with Windows certs. IE 11 want not load the site with the error: DLG_FLAGS_INVALID_CA DLG_FLAGS_SEC_CERT_CN_INVALID I guess IE11 can manually add his cert with some mouseclicks, but there is no cert-automatism.

from element-desktop.

Same here. Our users VPN in to use riot against local matrix (synapse) server. Any updates?

from element-desktop.

I found a working solution with a selfsigned certificate and the Windowsdesktopapp Elements.
First you have to create a FuelChainCertificate. Here is a link how you can create one with OpenSSL. After you have created the Root and Intermediate certificate you have to create the server certificate. I followed also the instructions, which I found on this side. However, some adjustments were necessary for me. In my case it was not necessary to enter the URL without any errors with this instruction alone. I have to enter the IP-Adress of my server as subjectAltName. For the csr-Request I configured a san.cnf-File. And I append the server_cert_ext.cnf - File from the mentioned turtorial above with the entire content of the san.cnf file.
Example san.cnf
[req]
default_bits = 4096
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[dn]
C =
ST =
L =
O =
OU =
emailAddress =
CN = example.com
[req_ext]
subjectAltName = @alt_names
[alt_names]
IP.1 = x.x.x.x

After that I was not able to connect to my server via the hostname but now I can connect with https://ip-adress. I gues my hostname failed because I do not have a FQDN because I do not have a domain :D
Hope that helps

from element-desktop.

I found that my self-signed certificate worked out of the box on NixOS's build of Element. There were two things that were important here:

1. The signing certificate is added to the system trust store (/etc/ssl/certs/)
2. the certificate contains the domain as SubjectAltName. A domain in CommonName only is rejected by electron.

If these are not sufficient, specifying the --use-openssl-ca option to electron might help.

I haven't tested whether the certificate also works for federation (assuming the other server trusts it), but that would be a synapse issue rather than an element issue if not.

from element-desktop.

I doubt we can do it for the electron app either, but maybe @dbkr knows differently.

Wouldn't this work?

const { app } = require('electron')
app.commandLine.appendSwitch('ignore-certificate-errors')

from element-desktop.

I think it's crazy Electron lets you totally headshot certificate errors, but not specifically add an extra CA.

Feels like a real slap in the face regarding security.

I'm trying to trust an org CA for this instance of Electron/Element-Desktop specifically, I don't want to add it to the system's cert store.

from element-desktop.