fix: serve real TLS in XMPP chat proxy#5
Conversation
The recent Riot client patch ignores chat.use_tls.enabled=false and chat.allow_bad_cert.enabled=true in clientconfig, so the chat proxy now needs to serve TLS with a publicly valid certificate for the host that replaces chat.host. Same approach as Deceive and RadiantConnect. Changes: - New ChatCert.py loads a PFX from a configurable URL, caches it locally, builds an SSLContext with the full intermediate chain (skipping intermediates causes the client to RST the handshake with WinError 64 on Windows). - ConfigProxy rewrites chat.host and chat.affinities to the proxy host and passes ssl_context to ChatProxy.start_client_proxy. - ChatProxy.start_client_proxy accepts an optional ssl_context. - Defaults work zero-config (cert hosted on Cloudflare R2, renewed monthly via Actions). Overridable via LCD_PFX_URL / LCD_CHAT_PROXY_HOST env vars or chat_cert_config.json next to ChatCert.py. Closes KebsCS#4
|
Thank you for the PR, I have a few questions |
| 5. **Create**. | ||
| 6. Copy the **Access Key ID**, **Secret Access Key**, and the **Account ID** (visible in the S3 API URL, e.g. `https://<account-id>.r2.cloudflarestorage.com`). Only shown once. | ||
|
|
||
| ## Step 6 — Create the renewal workflow in GitHub |
There was a problem hiding this comment.
Is it possible to have a cert that doesn't need renewal? Or has a very long time expiry date?
| DEFAULT_PFX_URL = "https://pfx.lolcert.online/localhost.pfx" | ||
| DEFAULT_CHAT_PROXY_HOST = "localhost.lolcert.online" |
There was a problem hiding this comment.
Is it possible to use a public, well-known domain instead? I’m thinking it would be too easy for the client to block a private one. It would also be a headache for me to maintain or update it if it’s not my own or something widely used.
I found this: https://gist.github.com/tinogomes/c425aa2a56d289f16a1f4fcb8a65ea65
Or a /etc/hosts file like the gist suggests?
There was a problem hiding this comment.
| { | ||
| "pfx_url": "https://your-host.example.com/localhost.pfx", | ||
| "chat_proxy_host": "localhost.your-domain.example.com" | ||
| } |
There was a problem hiding this comment.
If we go with this method, I'd rather not make it configurable. Most of the code relies on undocumented APIs and should work out of the box. In my opinion, changing the domain directly in a Python file is simple enough
There was a problem hiding this comment.
Not sure if this is a GitHub issue, but this file doesn't load for me now
2 participants
The recent Riot client patch ignores chat.use_tls.enabled=false and chat.allow_bad_cert.enabled=true in clientconfig, so the chat proxy now needs to serve TLS with a publicly valid certificate for the host that replaces chat.host. Same approach as Deceive and RadiantConnect.
Changes:
New ChatCert.py loads a PFX from a configurable URL, caches it locally, builds an SSLContext with the full intermediate chain (skipping intermediates causes the client to RST the handshake with WinError 64 on Windows).
ConfigProxy rewrites chat.host and chat.affinities to the proxy host and passes ssl_context to ChatProxy.start_client_proxy.
ChatProxy.start_client_proxy accepts an optional ssl_context.
Defaults work zero-config (cert hosted on Cloudflare R2, renewed monthly via Actions). Overridable via LCD_PFX_URL / LCD_CHAT_PROXY_HOST env vars or chat_cert_config.json next to ChatCert.py.
Closes #4