summary refs log tree commit diff
path: root/synapse/config/tls.py
diff options
context:
space:
mode:
authorJeroen <vo.jeroen@gmail.com>2018-06-24 22:38:43 +0200
committerJeroen <vo.jeroen@gmail.com>2018-06-24 22:38:43 +0200
commit3d605853c8e649ab4b3f91fb0a32cc77ef05d71f (patch)
treea7528c2dcf069b50cbe6571bb29bf42610ab3d21 /synapse/config/tls.py
parentRevert "Merge pull request #3431 from matrix-org/rav/erasure_visibility" (diff)
downloadsynapse-3d605853c8e649ab4b3f91fb0a32cc77ef05d71f.tar.xz
send SNI for federation requests
Diffstat (limited to 'synapse/config/tls.py')
-rw-r--r--synapse/config/tls.py9
1 files changed, 9 insertions, 0 deletions
diff --git a/synapse/config/tls.py b/synapse/config/tls.py
index b66154bc7c..4e7d1bd93e 100644
--- a/synapse/config/tls.py
+++ b/synapse/config/tls.py
@@ -47,6 +47,8 @@ class TlsConfig(Config):
 
         self.tls_fingerprints = config["tls_fingerprints"]
 
+        self.tls_ignore_certificate_validation = config.get("tls_ignore_certificate_validation", False)
+
         # Check that our own certificate is included in the list of fingerprints
         # and include it if it is not.
         x509_certificate_bytes = crypto.dump_certificate(
@@ -73,6 +75,8 @@ class TlsConfig(Config):
         tls_private_key_path = base_key_name + ".tls.key"
         tls_dh_params_path = base_key_name + ".tls.dh"
 
+        tls_ignore_certificate_validation = False
+
         return """\
         # PEM encoded X509 certificate for TLS.
         # You can replace the self-signed certificate that synapse
@@ -117,6 +121,11 @@ class TlsConfig(Config):
         #
         tls_fingerprints: []
         # tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}]
+
+        # Ignore certificate validation for TLS client connections to other
+        # homeservers using federation. Don't enable this in a production
+        # environment, unless you know what you are doing!
+        tls_ignore_certificate_validation: %(tls_ignore_certificate_validation)s
         """ % locals()
 
     def read_tls_certificate(self, cert_path):