feat: support underscore-prefixed domains with self-signed TLS certificates#7926
Open
hpk42 wants to merge 6 commits intolink2xt/rustls-underscorefrom
Open
feat: support underscore-prefixed domains with self-signed TLS certificates#7926hpk42 wants to merge 6 commits intolink2xt/rustls-underscorefrom
hpk42 wants to merge 6 commits intolink2xt/rustls-underscorefrom
Conversation
link2xt
reviewed
Mar 1, 2026
link2xt
reviewed
Mar 2, 2026
…icates Allow Delta Chat core to work with chatmail servers running on underscore-prefixed domains (e.g. _alice.localchat) which use self-signed TLS certificates. This is mirroring related work on chatmail relays: chatmail/relay#855 Underscore domains with self-signed TLS certs can be used by LXC test containers where obtaining real certificates is not practical. When the domain starts with '_', certificate verification is automatically relaxed for IMAP/SMTP connections, dcaccount QR code handling, and iroh relay endpoints. The Python test suite is adapted to also work against such underscore-domain servers, including cross-core tests with older Delta Chat versions. Note: this PR does not support HTTPS requests with underscore domains. They are not currently needed for working with LXC test containers. 14 files changed, +102/-31 lines (excluding Cargo.lock). Cargo.lock: +606/-11 lines from enabling iroh features needed for connecting to iroh relay endpoint on underscore domains. The added dependencies are unfortunate but best considered when finally upgrading to iroh 1.0 (tm).
…ead of AcceptInvalidCertificates Remove AcceptInvalidCertificates overrides in configure.rs and qr.rs that caused a fallback to OpenSSL/native-tls. The upstream Rustls TLS layer now handles underscore-prefixed domains via NoCertificateVerification directly. Also fix clippy lint in peer_channels.rs (map_or -> is_some_and).
and the webpki-root-certs needs the license admission
hpk42
force-pushed
the
hpk/underdomains
branch
2 times, most recently
from
97de2ae to
b0a66e5
Compare
link2xt
force-pushed
the
link2xt/rustls-underscore
branch
2 times, most recently
from
d31f931 to
e40d4fd
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Allow Delta Chat core to work with chatmail servers running on underscore-prefixed domains (e.g. _alice.example.org) which use self-signed TLS certificates. This is mirroring related work on chatmail relays: chatmail/relay#855 . Underscore domains with self-signed TLS certs can be used by LXC containers on local networks where obtaining real certificates is not practical.
When the domain starts with '_', certificate verification is automatically relaxed for IMAP/SMTP connections, dcaccount QR code handling, and iroh relay endpoints. The Python test suite is adapted to also work against such underscore-domain servers, including cross-core tests with older Delta Chat versions.
Note: this PR does not support HTTPS requests with underscore domains. They are not currently needed for working with LXC test containers, and introducing support would not only require some boilerplate with TLS connections but also a deeper look at how hyper performs http requests. It's best left for a separate consideration. This PR also does not make Iroh work with underscore domains. It would draw in dependencies and that is best considered in a separate PR.
Note2: i also fixed some resource loading in tests, because i ran into issues as i wasn't running tests from deltachat-rpc-client directory but repo root.