Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Needless requirement of tlsextradomain
See original GitHub issueDescription
tlsextradomain shouldn’t be needed if the certificate is explicitly pinned. The wallet already checks the certificate matches, so domain doesn’t provide any value beside annoyance.
Expected Behavior
The wallet checks that the certificate provided in URI matches the one sent by the server and accepts it without other conditions.
Actual Behavior
Zap rejects certificates without tlsextradomain despite it knowing that the certificate matches.
Possible Fix
Remove unnecessary domain check, check certificate equality only. Even better, instead of putting the whole certificate into the URI (and QR code), it could just use SHA256, which would be significantly shorter.
Steps to Reproduce
- configure and launch lnd instance without tlsextradomian and tlsextraip
- generate QR code and use it for connecting
- see error
- set tlsextradomain
- delete tls.cert and tls.key
- restart
lnd - re-create QR code
- connect and see it working
Context
I was trying to connect to a lnd node. I will also want to provide lndconnect QR code in the future using fairly complex process that may not know the domain name at the time of setting up lnd. This would lead to terrible complexity.
Your Environment
- Zap version: 0.3.0-beta
- Android version: 10
- Device: Google Pixel 3
- LND Version: 0.10.0-beta
Issue Analytics
- State:
- Created 3 years ago
- Comments:11 (1 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@Kixunil I couldn’t get the idea out of my head and actually made a test implementation of the certificate hashing and new trusting mechanism yesterday. It was a lot easier than i thought. https://github.com/michaelWuensch/zap-android/commit/96ebf6cc39247a2661507f650393605093fb0000
Please note that this does not change anything considering the tlsextradomain or tlsextraip. We are still using the certificate to create a secure connection and therefore are bound to those values. The only thing that has changed is the way we determine if we should trust that certificate. It allows us to now only transmit a certificate hash in the lndconnect string which makes the QR-Code a lot less dense.
To make this happen though it has to be implemented for Desktop and iOS as well and the actual lndconnect has to be updated.
Thanks for your input!
FYI, I needed to do a change similar to adding
tlsextradomainfor BTCPayServer, so I decided to supporttlsextradomaintoo. I figured the setting can be used multiple times, so thankfully there’s no conflict with admin configuration.This means I’m de-prioritizing my PR to remove the requirement. I might still do it at some point, but probably not anytime soon. Thanks for all your support so far anyway!