Skip to content

feat: support underscore-prefixed domains with self-signed TLS certificates#7926

Open
hpk42 wants to merge 33 commits intolink2xt/rustls-underscorefrom
hpk/underdomains
Open

feat: support underscore-prefixed domains with self-signed TLS certificates#7926
hpk42 wants to merge 33 commits intolink2xt/rustls-underscorefrom
hpk/underdomains

Conversation

@hpk42
Copy link
Contributor

@hpk42 hpk42 commented Mar 1, 2026
edited
Loading

Allow Delta Chat core to work with chatmail servers running on underscore-prefixed domains (e.g. _alice.example.org) which use self-signed TLS certificates. This is mirroring related work on chatmail relays: chatmail/relay#855 . Underscore domains with self-signed TLS certs can be used by LXC containers on local networks where obtaining real certificates is not practical.

When the domain starts with '_', certificate verification is automatically relaxed for IMAP/SMTP connections, dcaccount QR code handling, and iroh relay endpoints. The Python test suite is adapted to also work against such underscore-domain servers, including cross-core tests with older Delta Chat versions.

Note: this PR does not support HTTPS requests with underscore domains. They are not currently needed for working with LXC test containers, and introducing support would not only require some boilerplate with TLS connections but also a deeper look at how hyper performs http requests. It's best left for a separate consideration. This PR also does not make Iroh work with underscore domains. It would draw in dependencies and that is best considered in a separate PR.

Note2: i also fixed some resource loading in tests, because i ran into issues as i wasn't running tests from deltachat-rpc-client directory but repo root.

link2xt
link2xt reviewed Mar 1, 2026
View reviewed changes
link2xt
link2xt reviewed Mar 2, 2026
View reviewed changes
@hpk42 hpk42 force-pushed the hpk/underdomains branch 3 times, most recently from d9623a6 to 0f8a349 Compare March 2, 2026 18:54
Hocuri and others added 8 commits March 2, 2026 22:11
@Hocuri
fix: Handle the case that the user starts a securejoin, and then dele…
ab08a47 
…tes the contact (#7883)

fix #7880

depends on #7754 (merged)

With this change, a securejoin message is just ignored if the contact
was deleted in the meantime; apparently the user is not interested in
the securejoin process anymore if they deleted the contact.

But other, parallel securejoin processes must not be affected; the test
also tests this.
@dependabot @iequidoo
chore(cargo): bump proptest from 1.9.0 to 1.10.0
e7625ca 
Bumps [proptest](https://github.com/proptest-rs/proptest) from 1.9.0 to 1.10.0.
- [Release notes](https://github.com/proptest-rs/proptest/releases)
- [Changelog](https://github.com/proptest-rs/proptest/blob/main/CHANGELOG.md)
- [Commits](proptest-rs/proptest@v1.9.0...v1.10.0)

---
updated-dependencies:
- dependency-name: proptest
  dependency-version: 1.10.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@Hocuri
test: Fix flaky test_qr_securejoin_broadcast (#7937)
bfae229 
I assume that the problem was that sometimes, alice2 or fiona doesn't
accept alice's smeared timestamp, because `calc_sort_timestamp()`
doesn't allow the timestamp of a received message to be in the future. I
tried this patch:

```diff
diff --cc src/chat.rs
index 9565437,9565437cf..a2e4f97d0
--- a/src/chat.rs
+++ b/src/chat.rs
@@@ -46,6 -46,6 +46,7 @@@ use crate::receive_imf::ReceivedMsg
  use crate::smtp::{self, send_msg_to_smtp};
  use crate::stock_str;
  use crate::sync::{self, Sync::*, SyncData};
++use crate::timesmearing::MAX_SECONDS_TO_LEND_FROM_FUTURE;
  use crate::tools::{
      IsNoneOrEmpty, SystemTime, buf_compress, create_broadcast_secret, create_id,
      create_outgoing_rfc724_mid, create_smeared_timestamp, create_smeared_timestamps, get_abs_path,
@@@ -1212,7 -1212,7 +1213,11 @@@ SELECT id, rfc724_mid, pre_rfc724_mid, 
          received: bool,
          incoming: bool,
      ) -> Result<i64> {
--        let mut sort_timestamp = cmp::min(message_timestamp, smeared_time(context));
++        let mut sort_timestamp = cmp::min(
++            message_timestamp,
++            // Add MAX_SECONDS_TO_LEND_FROM_FUTURE in order to allow other senders to do timesmearing, too:
++            smeared_time(context) + MAX_SECONDS_TO_LEND_FROM_FUTURE,
++        );
  
          let last_msg_time: Option<i64> = if always_sort_to_bottom {
              // get newest message for this chat
```

...maybe this patch makes sense anyways, but you still get the problem
that the message sent by alice2 (i.e. the add-fiona message) will have
an earlier timestamp than the message sent by alice, because alice
already sent more messages, and therefore has more timesmearing-seconds.

It's unsure it makes sense to modify calc_sort_timestamp() this way because if some chat member has the clock in the future (even unintentionally), their fresh messages will be sorted to the bottom relatively to others' fresh messages. Maybe it's even better to limit the message timestamp ("Date") by the current system time there.

To really fix the problem, we could send a serial number together with the timestamp, that distinguishes two messages sent in the same second. But since we haven't gotten complaints about message ordering since some time, let's just leave things as they are.

Since all this timesmearing is a bit best-effort right now, I decided to
instead just make the test more relaxed.
@Hocuri
feat: Don't depend on cleartext Chat-Version, In-Reply-To, and Refere…
b947927 
…nces headers for prefetch_should_download (#7932)

Don't depend on these 3 cleartext headers for the question whether we
download a message.

This PR will waste a bit of bandwidth for people who use the legacy
show_emails option; apart from that, there is no user-visible change
yet. It's a preparation for being able to remove these headers, in order
to further reduce unencrypted metadata.

Removing In-Reply-To and References will be easy; removing Chat-Version
must happen at least one release after the PR here is released, so that
people don't miss messages. Also, maybe some nerds depend on the
Chat-Version header for server-side filtering of messages, but we shall
have this discussion at some other time.

For the question whether a message should be moved, we do still depend
on them; this will be fixed with
#7780.

When both this PR and #7780 are merged, we can stop requesting
Chat-Version header during prefetch.
@fcr--
Add support to gif stickers (#7941)
b10acd1 
Minimal change lets the desktop client select gif files placed in the
stickers folders.
@Hocuri
fix: Use the correct chat description stock string again (#7939)
c928015 
Fix #7933

Apparently I was inattentive when reviewing
#7870; there even was a test that
tested that the incorrect description is used XD

Thanks for noticing @r10s!
@j-g00da
fix(vcard): Improve property value escaping (#7931)
0622289 
Implements property value escaping according to RFC6350 section 3.4.
<https://www.rfc-editor.org/rfc/rfc6350.html#section-3.4>

Fixes: #7893
@iequidoo
feat: Remove QR code tokens sync compatibility code
3c4ce17 
Remove compatibility code needed for Core <= v1.143, Core 1.144 was released on 2024-09-21.
@hpk42 hpk42 force-pushed the hpk/underdomains branch 3 times, most recently from b0a66e5 to cc74488 Compare March 4, 2026 10:03
@link2xt link2xt changed the base branch from main to link2xt/rustls-underscore March 4, 2026 17:44
@link2xt link2xt force-pushed the link2xt/rustls-underscore branch 2 times, most recently from d31f931 to e40d4fd Compare March 4, 2026 17:56
nicodh and others added 10 commits March 4, 2026 23:07
@nicodh
api: add createQrSvg to jsonrpc (#7949)
964bbad
@Hocuri
docs: Fix documentation for membership change stock strings (#7944)
e3a7d55
@link2xt
refactor: use super::* in qr::dclogin_scheme
8ff8ba7
@link2xt
fix: percent-decode the address in dclogin:// URLs
89b5675
@iequidoo
fix: Make broadcast owner and subscriber hidden contacts for each oth…
0c4e323 
…er (#7856)
@link2xt
ci: allow non-hash references for actions/* and dependabot/*
d1c3a67
@link2xt
ci: update zizmor workflow to use zizmorcore/zizmor-action
5f84be7
@j-g00da
fix: Set proper placeholder texts for system messages (#7953)
abb93cd 
Don't use first-person form in placeholder texts,
as these can be misleading when broadcasted to group.
Additionally ensures that broadcasted system messages
are not localized to not leak locally-set language 
to the group chat.

Fixes #7930

Signed-off-by: Jagoda Ślązak <jslazak@jslazak.com>
@Hocuri
feat: Don't send unencrypted Auto-Submitted header (#7938)
1e20055 
Cherry-picked 8c09ca3

Follow-up to #7935
@link2xt
fix: do not run more than one housekeeping at a time
cce8e3b 
With multiple transports there are multiple inbox loops on the same profile `Context`. 
They tend to start running housekeeping at the same time, e.g. when deleting
a message with an attachment, and then `remove_unused_files()`
tries to remove the same files that are already deleted by another thread
and logs errors.
link2xt added 2 commits March 6, 2026 09:35
@link2xt
refactor: move WAL checkpointing into sql::pool submodule
874e38c 
This change is mainly to avoid exposing the write lock outside the pool module.
To avoid deadlocks, outside code should work only with the pooled connections
and use no more than one connection per thread.
@link2xt
fix: add mutex around wal_checkpoint()
53acfaa 
Documentation comment explains how it prevents the deadlock.
@hpk42 hpk42 mentioned this pull request Mar 6, 2026
Open
dependabot bot and others added 11 commits March 6, 2026 13:26
@dependabot @iequidoo
chore(cargo): bump strum from 0.27.2 to 0.28.0
1b43aac 
Bumps [strum](https://github.com/Peternator7/strum) from 0.27.2 to 0.28.0.
- [Release notes](https://github.com/Peternator7/strum/releases)
- [Changelog](https://github.com/Peternator7/strum/blob/master/CHANGELOG.md)
- [Commits](Peternator7/strum@v0.27.2...v0.28.0)

---
updated-dependencies:
- dependency-name: strum
  dependency-version: 0.28.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...
@dependabot @iequidoo
chore(cargo): bump strum_macros from 0.27.2 to 0.28.0
d26fa71 
Bumps [strum_macros](https://github.com/Peternator7/strum) from 0.27.2 to 0.28.0.
- [Release notes](https://github.com/Peternator7/strum/releases)
- [Changelog](https://github.com/Peternator7/strum/blob/master/CHANGELOG.md)
- [Commits](Peternator7/strum@v0.27.2...v0.28.0)

---
updated-dependencies:
- dependency-name: strum_macros
  dependency-version: 0.28.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...
@link2xt @hpk42
refactor: use re-exported rustls::pki_types
4be35e1
@link2xt @hpk42
refactor: import tokio_rustls::rustls
8113520
@link2xt @hpk42
feat(tls): do not verify TLS certificates for hostnames starting with…
98068f5 
… `_`
@hpk42
feat: support underscore-prefixed domains with self-signed TLS certif…
a5e875e 
…icates

Allow Delta Chat core to work with chatmail servers running on
underscore-prefixed domains (e.g. _alice.localchat) which use
self-signed TLS certificates. This is mirroring related work
on chatmail relays: chatmail/relay#855
Underscore domains with self-signed TLS certs can be used by LXC test
containers where obtaining real certificates is not practical.

When the domain starts with '_', certificate verification is
automatically relaxed for IMAP/SMTP connections, dcaccount QR
code handling, and iroh relay endpoints. The Python test suite
is adapted to also work against such underscore-domain servers,
including cross-core tests with older Delta Chat versions.

Note: this PR does not support HTTPS requests with underscore
domains. They are not currently needed for working with LXC test
containers.

14 files changed, +102/-31 lines (excluding Cargo.lock).
Cargo.lock: +606/-11 lines from enabling iroh features
needed for connecting to iroh relay endpoint on underscore domains.
The added dependencies are unfortunate but best considered
when finally upgrading to iroh 1.0 (tm).
@hpk42
fix: use Rustls NoCertificateVerification for underscore domains inst…
429ba11 
…ead of AcceptInvalidCertificates

Remove AcceptInvalidCertificates overrides in configure.rs and qr.rs that
caused a fallback to OpenSSL/native-tls. The upstream Rustls TLS layer now
handles underscore-prefixed domains via NoCertificateVerification directly.
Also fix clippy lint in peer_channels.rs (map_or -> is_some_and).
@hpk42
i guess this core-foundation thing can be prevented from duplication
77bfc8c 
and the webpki-root-certs needs the license admission
@hpk42
revert ice server test
ff2482c
@hpk42
fix the check, it's now always automat3ic
a6dbd38
@hpk42
remove iroh underscore domain support for now.
6592aa8
@hpk42 hpk42 force-pushed the hpk/underdomains branch from cc74488 to 6592aa8 Compare March 7, 2026 08:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@link2xt link2xt link2xt left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@hpk42 @link2xt @Hocuri @fcr-- @j-g00da @iequidoo @nicodh