mirror of
https://mau.dev/maunium/synapse.git
synced 2024-11-15 22:42:23 +01:00
Validate federation server TLS certificates by default.
This commit is contained in:
parent
14f13babb0
commit
e2dfb922e1
3 changed files with 15 additions and 8 deletions
1
changelog.d/5359.feature
Normal file
1
changelog.d/5359.feature
Normal file
|
@ -0,0 +1 @@
|
||||||
|
Validate federation server TLS certificates by default (implements [MSC1711](https://github.com/matrix-org/matrix-doc/blob/master/proposals/1711-x509-for-federation.md)).
|
|
@ -74,7 +74,7 @@ class TlsConfig(Config):
|
||||||
|
|
||||||
# Whether to verify certificates on outbound federation traffic
|
# Whether to verify certificates on outbound federation traffic
|
||||||
self.federation_verify_certificates = config.get(
|
self.federation_verify_certificates = config.get(
|
||||||
"federation_verify_certificates", False,
|
"federation_verify_certificates", True,
|
||||||
)
|
)
|
||||||
|
|
||||||
# Whitelist of domains to not verify certificates for
|
# Whitelist of domains to not verify certificates for
|
||||||
|
@ -241,12 +241,12 @@ class TlsConfig(Config):
|
||||||
#
|
#
|
||||||
#tls_private_key_path: "%(tls_private_key_path)s"
|
#tls_private_key_path: "%(tls_private_key_path)s"
|
||||||
|
|
||||||
# Whether to verify TLS certificates when sending federation traffic.
|
# Whether to verify TLS server certificates for outbound federation requests.
|
||||||
#
|
#
|
||||||
# This currently defaults to `false`, however this will change in
|
# Defaults to `true`. To disable certificate verification, uncomment the
|
||||||
# Synapse 1.0 when valid federation certificates will be required.
|
# following line.
|
||||||
#
|
#
|
||||||
#federation_verify_certificates: true
|
#federation_verify_certificates: false
|
||||||
|
|
||||||
# Skip federation certificate verification on the following whitelist
|
# Skip federation certificate verification on the following whitelist
|
||||||
# of domains.
|
# of domains.
|
||||||
|
|
|
@ -27,6 +27,7 @@ from twisted.web.http import HTTPChannel
|
||||||
from twisted.web.http_headers import Headers
|
from twisted.web.http_headers import Headers
|
||||||
from twisted.web.iweb import IPolicyForHTTPS
|
from twisted.web.iweb import IPolicyForHTTPS
|
||||||
|
|
||||||
|
from synapse.config.homeserver import HomeServerConfig
|
||||||
from synapse.crypto.context_factory import ClientTLSOptionsFactory
|
from synapse.crypto.context_factory import ClientTLSOptionsFactory
|
||||||
from synapse.http.federation.matrix_federation_agent import (
|
from synapse.http.federation.matrix_federation_agent import (
|
||||||
MatrixFederationAgent,
|
MatrixFederationAgent,
|
||||||
|
@ -52,11 +53,16 @@ class MatrixFederationAgentTests(TestCase):
|
||||||
|
|
||||||
self.well_known_cache = TTLCache("test_cache", timer=self.reactor.seconds)
|
self.well_known_cache = TTLCache("test_cache", timer=self.reactor.seconds)
|
||||||
|
|
||||||
|
# for now, we disable cert verification for the test, since the cert we
|
||||||
|
# present will not be trusted. We should do better here, though.
|
||||||
|
config_dict = default_config("test", parse=False)
|
||||||
|
config_dict["federation_verify_certificates"] = False
|
||||||
|
config = HomeServerConfig()
|
||||||
|
config.parse_config_dict(config_dict)
|
||||||
|
|
||||||
self.agent = MatrixFederationAgent(
|
self.agent = MatrixFederationAgent(
|
||||||
reactor=self.reactor,
|
reactor=self.reactor,
|
||||||
tls_client_options_factory=ClientTLSOptionsFactory(
|
tls_client_options_factory=ClientTLSOptionsFactory(config),
|
||||||
default_config("test", parse=True)
|
|
||||||
),
|
|
||||||
_well_known_tls_policy=TrustingTLSPolicyForHTTPS(),
|
_well_known_tls_policy=TrustingTLSPolicyForHTTPS(),
|
||||||
_srv_resolver=self.mock_resolver,
|
_srv_resolver=self.mock_resolver,
|
||||||
_well_known_cache=self.well_known_cache,
|
_well_known_cache=self.well_known_cache,
|
||||||
|
|
Loading…
Reference in a new issue