Mention Let'sEncrypt issues with Element mobile clients #1145
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Maybe we should make this the default? If Element doesn't support that, what is there (as of right now) that justifies having it enabled? |
|
Using TURNS there is a marginal benefit of the signaling channel not leaking the remote address during the WebRTC setup. |
|
Element doesn't support TURNS though, so we don't really get that benefit? |
|
Element (mobile) does support TURNS, and even attempts to use it, the issue is specifically with the Let's Encrypt chain. The WebRTC lib uses a different CA root list than that of the operating system. |
|
Turning it off by default would leave some people with questions, don't you think? "Why are we reducing the (wrongly perceived) security of the homeservers." There might be those who are currently using the playbook with manually installed certs too. They don't expect changes like this. I propose we change the default to turn off turns in case the built-in Let'sEncrypt support is |
Sounds reasonable and likely better than updating some documentation page that no one will read. I've done that in 8b146f0. Thank you! 👍 |
spantaleev
added a commit
that referenced
this pull request
Jul 2, 2021
|
I've been away the past week and couldn't work on this, thanks for completing the job! 👍 |
|
For the record, these are the issue pages in for the mobile clients: |
russ-go
added a commit
to russ-go/matrix-docker-ansible-deploy
that referenced
this pull request
Sep 1, 2021
* stable-5963 * domain_fix * jibri env * jibri service * JICOFO_RESERVATION_ENABLED contains whitespaces. * whitespaces * Upgrade Element (1.7.30 -> 1.7.31) * Coturn update 4.5.2 -> 4.5.2-r2 * jibri service * minor fix * network-alias added to fix domains * Remove unused variables from mx-puppet-* bridges Related to spantaleev#1131 * jicofo client proxy connection * matrix_jitsi_jicofo_component_secret validation * Update prometheus v2.27.1 -> v2.28.0 * Mount /data in matrix-redis container Fixes spantaleev#1140 * Update main.yml update to v0.2.0 * Remove asterisks from configuring-dns.md These previously denoted optional DNS records but now optional records are a separate table so they are unnecessary. * heisenbridge fix service name * Update IRC bridge * Upgrade Synapse (1.36.0 -> 1.37.0) * postgres minor updates * Updating to latest synapse release (performance regression) https://github.com/matrix-org/synapse/releases/tag/v1.37.1 * Add worker metrics to prometheus exporter * Make federation domain customizable * make them show as jobs in grafana * we index from 0 apparently * Fix Content-Security-Policy for Element Fixes spantaleev#1154 According to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy, having both a header and the `<meta>`-tag provided by Element itself is not a problem. The 2 CSP policies get combined. * remove jibri * remove jibri * Correct broken documentation link Recently, documentation on Synapse has been changed from .rst to .md. Therefore, the current links for the purge history API were resulting in a 404 error. * Upgrade mjolnir (0.1.17 -> 0.1.18) and implement self building * Remove a bunch of redundant Ansible <2.8 self building checks * Update Mjolnir (v0.1.17 -> v0.1.18) * GoMatrixHosting v0.5.1 * Disable turns when Let's Encrypt is used Supersedes spantaleev#1145 * Do not try to use TURNS when TLS disabled for Coturn Related to spantaleev#1145 * Use a prom variable and not a synapse role variable * Skip importing validate_config task when Synapse is disabled * Fix self-building for Coturn Fixes spantaleev#1158 * Fix template syntax error in OIDC SSO example * GoMatrixHosting 0.5.2 * prometheus version 2.28.0 -> 2.28.1 * did i even update this * Upgrade Element (1.7.31 -> 1.7.32) * Upgrade certbot & nginx Upgrade certbot (v1.16.0 -> v1.17.0) nginx (1.21.0 -> 1.21.1) * Upgrade grafana (8.0.3 -> 8.0.5) * Update to ma1sd v2.5.0 * Upgrade matrix-corporal (2.1.0 -> 2.1.1) * feat: update synapse to 1.38.0 * Added selfbuild functionality to mautrix-signal bridge * Autoset self-build for mautrix-signal bridge * Added proxy config for synapse-admin * GoMatrixHosting v0.5.5 * GoMatrixHosting v0.5.5 * Upgrade grafana (8.0.5 -> 8.0.6) * Fixed self-build functionality for mautrix-signal and added self-build functionality for signald * Added missing X-Forwarded-Proto header * Fixed mautrix-telegram selfbuild not working on non amd64 platforms * Docs * Renamed matrix_lottieconverter to matrix_telegram_lottieconverter * Masked TARGETARCH via docker.build.arg directive * Upgrade Element (1.7.32 -> 1.7.33) * Upgrade hydrogen (v0.2.0 -> v0.2.3) * Update main.yml Fixes an issue related to anoadragon453/matrix-reminder-bot#86 * root path for the base domain is wrong (spantaleev#1189) * root path for the base domain * Fix path when running in a container Co-authored-by: Slavi Pantaleev <[email protected]> * Do not needlessly ignore errors * remove prosody JICOFO_COMPONENT_SECRET * Reverted back to manual self-build detection * Fix some if-checks We'd rather not suppress pull errors or run self-build tasks if pulling fails. * Remove unnecessary if-condition * Upgrade Synapse (1.38.0 -> 1.38.1) * Update prometheus node exporter (1.1.2 -> 1.2.0) * Update configuring-well-known.md * Restore authentication for Jitsi Meet. * Allow for self-building of reminder-bot * Updated group_vars to update self_build based on matrix_architecture * Remove unnecessary if condition All of `setup_install.yml` only runs if `matrix_bot_matrix_reminder_bot_enabled`, so it's not necessary to add that condition once again. * Update docs/self-building.md * GoMatrixHosting v0.5.5 * Minor fixups for ma1sd 2.5.0 Related to spantaleev#1171 * Upgrade Synapse (1.38.1 -> 1.39.0) * Update howto-server-delegation.md The attached code for the "Serving the Federation API with your certificates and matrix-nginx-proxy" section suggests using the matrix.<your-domain> certificate for the federation API as opposed to the necessary <your-domain> certificate for the federation to work. This can cause some confusion to readers. * Remove unnecessary argument from Postgres import command The default of using the `matrix` database is better anyway. * Upgrade Element (1.7.33 -> 1.7.34) * Split install/uninstall tasks in matrix-email2matrix * Remove some useless if conditions * Add self-building support to matrix-email2matrix * Fix email2matrix path initialization Regression since 421f85d * Upgrade Hydrogen (0.2.3 -> 0.2.5) * whatsapp bridge has new docker image location See https://github.com/mautrix/whatsapp/releases/tag/v0.1.8 * Update IRC appservice https://github.com/matrix-org/matrix-appservice-irc/releases/tag/0.29.0 * New version of Mautrix Signal bridge version 0.2.0 provided through new GitLab repository location * irc appservice image tag has a 'v' now * GMH v0.5.7... maybe! * Update Synapse (1.39.0 -> 1.40.0) * Update homeserver.yaml to keep up with Synapse v1.40.0 Related to spantaleev#1225 * Allow configuring synapse database transaction limit * simplify template conditional * use group variables instead * remove matrix_awx_enabled from these * use saner folder permissions * Update matrix-mautrix-signal config to 0.2.0 to enable relay mode * Relay bot configurable + permissions Enable / disable relay bot functionality as configuratoin paramter; set bridge permissions for base domain users to user level * Default relay bot functionality setting Per default relay bot functionality is disabled; the bridge user permissions depends on the relay bot, if enabled the base domain users are on level relay, else remain on user; * Augment documentation for relay bot * Update as per suggestion * Remove intial permissions seting Permissions, when set in the template, will be augmented rahter than replaced when using matrix_mautrix_signal_configuration_extension_yaml. Therefore, permissions shall only be set in the defaults/vars.yml or in the HS specific vars.yml file * Update docs/configuring-playbook-bridge-mautrix-signal.md Document how to enable relay functionality in a room Co-authored-by: Jan <[email protected]> * Update roles/matrix-bridge-mautrix-signal/defaults/main.yml Improved setup through template file Co-authored-by: Jan <[email protected]> * Update roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 Updated settings in template file: * relay for any user * user permissions only for HS domain users Co-authored-by: Jan <[email protected]> * Update docs/configuring-playbook-bridge-mautrix-signal.md Improvement of documentation Co-authored-by: Jan <[email protected]> * Change sequence of permissions As per earlier comment (see from tulir) the sequence has been changed. * Missing ticks * Simplify if condition * Replace tabs to spaces to prevent problems in YAML * docker-ce is now available for Debian Bullseye * Upgrade Element (1.7.34 -> 1.8.0) * Make template generic for the pemission settings * Preset the permissions inline with other bridges * Document the permissions settings. Distinguish between augmenting and overwriting. * Pin Heisenbridge to 1.0.0 * Mautrix-Facebook repo location update, pin v0.3.1 The Github link is just a redirect to Tulir's own GitLab, so I replaced the self-build link The docker container repository was rearranged hierarchically (dock.mau.dev/tulir/mautrix-facebook -> dock.mau.dev/mautrix/facebook) Tagged versions have been made available, thus :latest -> :v0.3.1 * Upgrade Element (1.8.0 -> 1.8.1) Element web/desktop has just been updated to fix some regressions in regard to VoIP. * Bump Coturn version tag (4.5.2-r2 -> 4.5.2-r3) Fixes spantaleev#1236 * Update readme mautrix bridges * Update container-images.md * update mautrix docs * Update configuring-playbook-bridge-mautrix-hangouts.md * Update configuring-playbook-bridge-mautrix-instagram.md * Update configuring-playbook-bridge-mautrix-signal.md * Update configuring-playbook-bridge-mautrix-hangouts.md * Update configuring-playbook-bridge-mautrix-telegram.md * Update configuring-playbook-bridge-mautrix-whatsapp.md * Update main.yml * update new repo name mautrix-hangouts * update new repo name mautrix * update mautrix new repo name * update mautrix new repo name * update links * update link * Update the docker image version for mautrix-telegram * Certbot update v1.18.0 * Upgrade Sygnal (v0.9.0 -> v0.10.1) * add code for LinkedIn Bridge * Adds Documentation for LinkedIn Bridge * Postgres Minor Updates * Update to version v0.30.0 https://github.com/matrix-org/matrix-appservice-irc/releases/tag/0.30.0 * Add missing section separator * Do not reference variables from other roles This configuration is supposed to be kept clean and not reference variables defined in other roles. `group_vars/matrix_servers` redefines these to hook our various roles together. * Remove (non-working) SQLite support from beeper-linkedin bridge This bridge doesn't support SQLite anyway, so it's not necessary to carry around configuration fields and code for migration from SQLite to Postgres. There's nothing to migrate. * Announce LinkedIn Messaging bridging support Related to spantaleev#1242 * Upgrade devture/exim-relay (4.94.2-r0-2 -> 4.94.2-r0-3) Related to devture/exim-relay#11 * Upgrade matrix-corporal (2.1.1 -> 2.1.2) * prometheus & its exporter updates * Update Synapse from 1.40.0 to 1.41.0 * Update main.yml Fix incorrect docker version tag for matrix-appservice-irc * Endpoint changes for Client and media API due to migration to 1.41.0 * Update homeserver.yaml to match the one in Synapse v1.41.0 Related to spantaleev#1247 * Grafana Grafana v8.1 * mjolnir releases v0.1.19 * Hydrogen v0.2.7 * Update prometheus (2.29.1 -> 2.29.2) Update prometheus (2.29.1 -> 2.29.2) * Update Coturn (4.5.2-r3 -> 4.5.2-r4) * Jitsi Update stable-5963 * Syntex fixed * Update configuring-playbook-jitsi.md matrix_jitsi_jicofo_component_secret var removed spantaleev#1139 * Add link to Dimension admin page This avoids having to create a new room and to click the "Add widgets, bridges & bots" link (Formerly the four-squares-icon) * Upgrade exim-relay (4.94.2-r0-3 -> 4.94.2-r0-4) * Remove no-longer accurate sentences * Upgrade to Synaspe v 1.41.1 (Security Update) Synapse 1.41.1 Patches 2 exploits that can reveal information about rooms an user is not supposed to have access to information about. * Pull correct version when self building Mautrix Facebook and Synapse Admin * Upgrade Element (1.8.1 -> 1.8.2) * Move some related tasks closer together in matrix-client-hydrogen Co-authored-by: sakkiii <[email protected]> Co-authored-by: Slavi Pantaleev <[email protected]> Co-authored-by: hanthor <[email protected]> Co-authored-by: Aaron Raimist <[email protected]> Co-authored-by: Michael Sasser <[email protected]> Co-authored-by: Thom Wiggers <[email protected]> Co-authored-by: Davy Landman <[email protected]> Co-authored-by: Stuart Mumford <[email protected]> Co-authored-by: oxmie <[email protected]> Co-authored-by: sak <[email protected]> Co-authored-by: WobbelTheBear <[email protected]> Co-authored-by: Michael-GMH <[email protected]> Co-authored-by: Neutron <[email protected]> Co-authored-by: Sergei Shikalov <[email protected]> Co-authored-by: Markus <[email protected]> Co-authored-by: Janar Juusu <[email protected]> Co-authored-by: Toorero <[email protected]> Co-authored-by: JokerGermany <[email protected]> Co-authored-by: sakkiii <[email protected]> Co-authored-by: Richard Meyer <[email protected]> Co-authored-by: maximilianschmelzer <[email protected]> Co-authored-by: Hardy Erlinger <[email protected]> Co-authored-by: Nate <[email protected]> Co-authored-by: 0xLAITH <[email protected]> Co-authored-by: Sebastian Gumprich <[email protected]> Co-authored-by: Wolfgang Winter <[email protected]> Co-authored-by: Sebastian Gumprich <[email protected]> Co-authored-by: Toni Spets <[email protected]> Co-authored-by: Jaffex <[email protected]> Co-authored-by: Dan Arnfield <[email protected]> Co-authored-by: pushytoxin <[email protected]> Co-authored-by: AtomHare <[email protected]> Co-authored-by: nono <[email protected]> Co-authored-by: Alexandar Mechev <[email protected]> Co-authored-by: Catalan Lover <[email protected]> Co-authored-by: Joseph Walton-Rivers <[email protected]> Co-authored-by: Wolfgang Winter <[email protected]> Co-authored-by: Hagen <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Let me know if you'd prefer to have a
matrix_coturn_enable_tls: true/falsevariable instead