Cert issue with previewed external icon causes popup about "this Mattermost server"

[peterkaminski]

I confirm (by marking "x" in the [ ] below: [x]):

• [x] This is not a troubleshooting question. Troubleshooting questions go here: https://docs.mattermost.com/install/troubleshooting.html.
• [x] This doesn't reproduce on web browsers (such as in Chrome). If it does, issue reports go to the Mattermost Server repository.
• [x] I have read contributing guidelines.

---

Summary

A cert issue with a previewed (unfurled) external icon causes a popup with an incorrect error message about "this Mattermost server".

Environment

• Operating System:
• Mattermost Desktop App version: 5.0.4
• Mattermost Server version: 6.4.0

The problem was replicated with the desktop app on two Macs, running macOS Monterey Version 12.3.1. One was M1, one was Intel.

The problem did not reproduce in Chrome, even when the channel and preview in question was viewed. (However, it is possible that security settings or plugins interfered with a TLS error message; the Chrome reproduction attempt was cursory, and didn't include in-depth testing of browser settings.)

Steps to reproduce

(Note: I do not own or control https://d.dgn.io/ or https://citizen-network.org/, but references to them ended up exposing the problem.)

1. Find or create a server with a TLS certificate misconfiguration, such as a mismatched common name (server name does not match name(s) given in cert). For instance, https://d.dgn.io/ currently returns a cert that does not have d.dgn.io as one of the acceptable common names.
2. Find or create an image URL using the domain name from above, such as https://d.dgn.io/build/img/social-media.jpg.
3. Find or create a web page that uses the image URL from above in its meta name="twitter:image" and meta property="og:image" tags. For instance, https://citizen-network.org/ currently returns a page with the following meta tags:

<meta name="twitter:image" content="https://d.dgn.io/build/img/social-media.jpg"/>
<meta property="og:image" content="https://d.dgn.io/build/img/social-media.jpg"/>

   4. Post the URL of the web page from above, e.g. , https://citizen-network.org/, as a message to one of the Mattermost channels.  5. (There may be other steps, such as leaving and returning to the channel, or closing and re-opening the app, or the server caching the opengraph information for later use. The error reproduces, but intermittently, and the exact reproduction conditions are not clear. It seems likely that the user needs to be subscribed to the channel where the preview is displayed, at least, but this was not confirmed, and it's not clear the problem only occurred in the channel where the offending preview was.)

Expected behavior

1. The Mattermost server retrieves the opengraph preview information and shows a preview.
2. A broken image icon displays instead of the normal website preview icon.
3. No error pops up. From the user's point of view the cert error is silently ignored, and the only result is the broken preview icon.

Observed behavior

1. The Mattermost server retrieves the opengraph preview information and shows a preview.
2. A broken image icon displays instead of the normal website preview icon.
3. An error pops up. The error reads, "There is a configuration issue with this Mattermost server, or someone is trying to intercept your connection. You also may need to sign into the Wi-Fi you are connected to using your web browser. origin: https://d.dgn.io Error: net::ERR_CERT_COMMON_NAME_INVALID"

Additional information: clicking "More Details" leads to another popup about the certificate which is involved in the misconfiguration. In the test case, it reads 'Certificate from "R3" is not trusted.` (Note that this error message is somewhat misleading, because the R3 certificate in this case is trustworthy, it just doesn't match the server name. But this message is not the issue being reported.)

Also note, the cert for the Mattermost server in question is configured correctly. It is not d.dgn.io.

The main problem is twofold:

1. A popup occurs instead of the cert error being silently ignored.
2. The message improperly suggests that there is a problem with the Mattermost server or the user's wifi connection, when it is neither of those things; rather, the problem is with the preview icon.

Possible fixes

Presumably, Electron throws an error when it detects a problem with the display of the icon retrieved from the server with the TLS mis-configuration. This error is presumably handled by code that assumes that the only TLS error will be with the server (or the user's wifi). The code should instead determine if there is a problem with the connection to the Mattermost server, and if there is not, it should not warn the user. If the app has logs or advanced debugging output, the error could be logged to that, with a notice that it was ignored because it wasn't related to the Mattermost server.

To summarize:

1. Suppress or ignore the error from the user's point of view, except for displaying a broken image preview icon.
2. If the error is logged for advanced users or admins, it would refer to a preview image problem, rather than a problem with the Mattermost server or the user's wifi.

[devinbinnie]

Thanks for the report @peterkaminski, I think what we'll have to do here is check where the origin of the certificate error is coming from and display a different error message based on that.

Created a ticket here: https://mattermost.atlassian.net/browse/MM-44229

[devinbinnie]

This one was resolved here: https://github.com/mattermost/desktop/pull/2205