summary refs log tree commit diff
path: root/docs/sample_config.yaml
diff options
context:
space:
mode:
authorAndrew Morgan <1342360+anoadragon453@users.noreply.github.com>2019-04-25 06:22:49 -0700
committerRichard van der Hoff <1389908+richvdh@users.noreply.github.com>2019-04-25 14:22:49 +0100
commit6824ddd93df1cfc347e4c8f423d54fab5bb732fb (patch)
tree4ef1853e6bd78aa2ed9cc75dcf7724b82aa27d97 /docs/sample_config.yaml
parentRemove log error for .well-known/matrix/client (#4972) (diff)
downloadsynapse-6824ddd93df1cfc347e4c8f423d54fab5bb732fb.tar.xz
Config option for verifying federation certificates (MSC 1711) (#4967)
Diffstat (limited to 'docs/sample_config.yaml')
-rw-r--r--docs/sample_config.yaml34
1 files changed, 34 insertions, 0 deletions
diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml
index ab02e8f20e..a7f6bf31ac 100644
--- a/docs/sample_config.yaml
+++ b/docs/sample_config.yaml
@@ -260,6 +260,40 @@ listeners:
 #
 #tls_private_key_path: "CONFDIR/SERVERNAME.tls.key"
 
+# Whether to verify TLS certificates when sending federation traffic.
+#
+# This currently defaults to `false`, however this will change in
+# Synapse 1.0 when valid federation certificates will be required.
+#
+#federation_verify_certificates: true
+
+# Skip federation certificate verification on the following whitelist
+# of domains.
+#
+# This setting should only be used in very specific cases, such as
+# federation over Tor hidden services and similar. For private networks
+# of homeservers, you likely want to use a private CA instead.
+#
+# Only effective if federation_verify_certicates is `true`.
+#
+#federation_certificate_verification_whitelist:
+#  - lon.example.com
+#  - *.domain.com
+#  - *.onion
+
+# List of custom certificate authorities for federation traffic.
+#
+# This setting should only normally be used within a private network of
+# homeservers.
+#
+# Note that this list will replace those that are provided by your
+# operating environment. Certificates must be in PEM format.
+#
+#federation_custom_ca_list:
+#  - myCA1.pem
+#  - myCA2.pem
+#  - myCA3.pem
+
 # ACME support: This will configure Synapse to request a valid TLS certificate
 # for your configured `server_name` via Let's Encrypt.
 #