Fixes to Complement's Federation Certificate

[anoadragon453]

This PR contains two fixes, separated by commit.

1. Add Subject information to Complement's CA and ephemeral certificates. Federation clients will not accept a certificate if they are unable to get the details of the CA that issued them. It looks for this information in the longterm CA cert.
2. The longterm cert would expire after 5 hours. It is not regenerated if it already exists. Federation clients will not accept expired certificates. I've updated the expiration to 10 years.

Because the longterm CA certificate is not regenerated if it already exists, people will need to clear the old certificates (located in /tests/ca/) to generate a new certificate.

Note: I think for 1. information is only required for the CA cert, but I've added the same to the ephemeral cert just in case.

[valkum]

Copy from the Complement Room:

I think the better solution would be to check for the expiration date in the GetOrCreate function, and don't return the existing cert if it expires in less than 2 hours.
Long valid certs are considered bad in the security space form my understanding. While most problems with long running certs should not be encountered in this scenario (running mostly in CI). If you were to run Complement from your host and you want to enforce TLS checks, you would need to add the now 10year valid CA cert to your local trust store, which I find pretty rough.
Furthermore, still while the chances are pretty low, sometime in the future no one has to debug a failing build because the CA cert expired, if we just check validity and renew if needed.
You can renew a cert to keep the same public key, and in my believe this would be the proper solution here.

Oh and we need to make sure that we add the CA to the trust store in the complement container. That might be missing as well.
Reasoning for this: I rather like a secure by default design where Complement enforces TLS, to check whether a used container has a working TLS implementation and with that an option to disable this checks, than a insecure by default design. In my opinion it would be good to see if Homeservers correctly handle TLS validation.
For this, there would be additional work needed to spin up a federation server in complement with a invalid cert to see if the Homeserver still communicates with Complement.

[anoadragon453]

If you were to run Complement from your host and you want to enforce TLS checks, you would need to add the now 10year valid CA cert to your local trust store, which I find pretty rough.

Perhaps a better solution may be to create a HTTP client that is used for federation requests to homeservers which contains the CA cert (see tls.Config.RootCAs? That way we wouldn't be adding the cert to the host (and wouldn't be littering it with loads of expired certs).

Reasoning for this: I rather like a secure by default design where Complement enforces TLS, to check whether a used container has a working TLS implementation and with that an option to disable this checks, than a insecure by default design. In my opinion it would be good to see if Homeservers correctly handle TLS validation.

Yeah, I agree. FYI see the discussion in #65 regarding whether to remove the COMPLEMENT_CA environment variable. This could take the form of a separate env var, or piggyback off the existing one.

For this, there would be additional work needed to spin up a federation server in complement with a invalid cert to see if the Homeserver still communicates with Complement.

This sounds worthwhile, though let's make a separate issue for that.

[valkum]

Perhaps a better solution may be to create a HTTP client that is used for federation requests to homeservers which contains the CA cert (see tls.Config.RootCAs? That way we wouldn't be adding the cert to the host (and wouldn't be littering it with loads of expired certs).

That sounds reasonable and also helps with implementing an invalid federation endpoint for testing TLS verification.

[kegsay]

@anoadragon453 can you merge this please?

[anoadragon453]

@kegsay Apologies for the delay. I've been working on and off on some improvements to this PR as discussed above with @valkum. Mainly having Complement verify federation certificates and seeding Complement's federation client with the CA cert instead of needing to add it to the host.

Those changes can certainly come in a separate PR though.