diff options
author | Mark Haines <mark.haines@matrix.org> | 2016-10-11 19:14:46 +0100 |
---|---|---|
committer | Mark Haines <mark.haines@matrix.org> | 2016-10-11 19:14:46 +0100 |
commit | 6e9f3ab415b855a032f092baf083f354116db284 (patch) | |
tree | a2733b1cde2adfbd5be2823586372f79b3cd87e6 /synapse/config/tls.py | |
parent | Merge pull request #1160 from matrix-org/rav/401_on_password_fail (diff) | |
download | synapse-6e9f3ab415b855a032f092baf083f354116db284.tar.xz |
Add config option for adding additional TLS fingerprints
Diffstat (limited to '')
-rw-r--r-- | synapse/config/tls.py | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/synapse/config/tls.py b/synapse/config/tls.py index fac8550823..956b440f7a 100644 --- a/synapse/config/tls.py +++ b/synapse/config/tls.py @@ -19,6 +19,9 @@ from OpenSSL import crypto import subprocess import os +from hashlib import sha256 +from unpaddedbase64 import encode_base64 + GENERATE_DH_PARAMS = False @@ -42,6 +45,19 @@ class TlsConfig(Config): config.get("tls_dh_params_path"), "tls_dh_params" ) + self.tls_fingerprints = config["tls_fingerprints"] + + # Check that our own certificate is included in the list of fingerprints + # and include it if it is not. + x509_certificate_bytes = crypto.dump_certificate( + crypto.FILETYPE_ASN1, + self.tls_certificate + ) + sha256_fingerprint = encode_base64(sha256(x509_certificate_bytes).digest()) + sha256_fingerprints = set(f["sha256"] for f in self.tls_fingerprints) + if sha256_fingerprint not in sha256_fingerprints: + self.tls_fingerprints.append({u"sha256": sha256_fingerprint}) + # This config option applies to non-federation HTTP clients # (e.g. for talking to recaptcha, identity servers, and such) # It should never be used in production, and is intended for @@ -73,6 +89,27 @@ class TlsConfig(Config): # Don't bind to the https port no_tls: False + + # List of allowed TLS fingerprints for this server to publish along + # with the signing keys for this server. Other matrix servers that + # make HTTPS requests to this server will check that the TLS + # certificates returned by this server match one of the fingerprints. + # + # Synapse automatically adds its the fingerprint of its own certificate + # to the list. So if federation traffic is handle directly by synapse + # then no modification to the list is required. + # + # If synapse is run behind a load balancer that handles the TLS then it + # will be necessary to add the fingerprints of the certificates used by + # the loadbalancers to this list if they are different to the one + # synapse is using. + # + # Homeservers are permitted to cache the list of TLS fingerprints + # returned in the key responses. It may be necessary to publish the + # fingerprints of a new certificate and wait for the caches on other + # servers to expire before deploying it. + tls_fingerprints: [] + #- {"sha256": "<base64_encoded_sha256_fingerprint>"} """ % locals() def read_tls_certificate(self, cert_path): |