diff options
| author | Neil Johnson <neil@matrix.org> | 2019-06-06 17:23:02 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-06-06 17:23:02 +0100 |
| commit | 833c406b9b34392eb64780eeef6b670be762ea21 (patch) | |
| tree | bdaae34b3fbaea7af8c7dadb205c37f173c926da /UPGRADE.rst | |
| parent | Regen sample config before kicking off agents (#5370) (diff) | |
| download | synapse-833c406b9b34392eb64780eeef6b670be762ea21.tar.xz | |
Neilj/1.0 upgrade notes (#5371)
1.0 upgrade/install notes
Diffstat (limited to 'UPGRADE.rst')
| -rw-r--r-- | UPGRADE.rst | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/UPGRADE.rst b/UPGRADE.rst index 228222d534..6032a505c9 100644 --- a/UPGRADE.rst +++ b/UPGRADE.rst @@ -49,6 +49,55 @@ returned by the Client-Server API: # configured on port 443. curl -kv https://<host.name>/_matrix/client/versions 2>&1 | grep "Server:" +Upgrading to v1.0 +================= + +Validation of TLS certificates +------------------------------ + +Synapse v1.0 is the first release to enforce +validation of TLS certificates for the federation API. It is therefore +essential that your certificates are correctly configured. See the `FAQ +<docs/MSC1711_certificates_FAQ.md>`_ for more information. + +Note, v1.0 installations will also no longer be able to federate with servers +that have not correctly configured their certificates. + +In rare cases, it may be desirable to disable certificate checking: for +example, it might be essential to be able to federate with a given legacy +server in a closed federation. This can be done in one of two ways:- + +* Configure the global switch ``federation_verify_certificates`` to ``false``. +* Configure a whitelist of server domains to trust via ``federation_certificate_verification_whitelist``. + +See the `sample configuration file <docs/sample_config.yaml>`_ +for more details on these settings. + +Email +----- +When a user requests a password reset, Synapse will send an email to the +user to confirm the request. + +Previous versions of Synapse delegated the job of sending this email to an +identity server. If the identity server was somehow malicious or became +compromised, it would be theoretically possible to hijack an account through +this means. + +Therefore, by default, Synapse v1.0 will send the confirmation email itself. If +Synapse is not configured with an SMTP server, password reset via email will be +disabled. + +To configure an SMTP server for Synapse, modify the configuration section +headed ``email``, and be sure to have at least the ``smtp_host``, ``smtp_port`` +and ``notif_from`` fields filled out. You may also need to set ``smtp_user``, +``smtp_pass``, and ``require_transport_security``. + +If you are absolutely certain that you wish to continue using an identity +server for password resets, set ``trust_identity_server_for_password_resets`` to ``true``. + +See the `sample configuration file <docs/sample_config.yaml>`_ +for more details on these settings. + Upgrading to v0.99.0 ==================== |