summary refs log tree commit diff
path: root/synapse/config/tls.py
diff options
context:
space:
mode:
authorRichard van der Hoff <1389908+richvdh@users.noreply.github.com>2019-06-06 10:50:42 +0100
committerGitHub <noreply@github.com>2019-06-06 10:50:42 +0100
commitcb3b381fcbb7e9bcb3a3e46b08d21ae5b2f3de24 (patch)
treeb82425dd1854b01dfeea7156e1736aa40f8bdb8e /synapse/config/tls.py
parentMerge pull request #5361 from matrix-org/rav/generate_signing_key (diff)
parentMerge branch 'rav/fix_custom_ca' into rav/enable_tls_verification (diff)
downloadsynapse-cb3b381fcbb7e9bcb3a3e46b08d21ae5b2f3de24.tar.xz
Merge pull request #5359 from matrix-org/rav/enable_tls_verification
Validate federation server TLS certificates by default.
Diffstat (limited to 'synapse/config/tls.py')
-rw-r--r--synapse/config/tls.py10
1 files changed, 5 insertions, 5 deletions
diff --git a/synapse/config/tls.py b/synapse/config/tls.py
index 94a53d05f9..658f9dd361 100644
--- a/synapse/config/tls.py
+++ b/synapse/config/tls.py
@@ -74,7 +74,7 @@ class TlsConfig(Config):
 
         # Whether to verify certificates on outbound federation traffic
         self.federation_verify_certificates = config.get(
-            "federation_verify_certificates", False,
+            "federation_verify_certificates", True,
         )
 
         # Whitelist of domains to not verify certificates for
@@ -241,12 +241,12 @@ class TlsConfig(Config):
         #
         #tls_private_key_path: "%(tls_private_key_path)s"
 
-        # Whether to verify TLS certificates when sending federation traffic.
+        # Whether to verify TLS server certificates for outbound federation requests.
         #
-        # This currently defaults to `false`, however this will change in
-        # Synapse 1.0 when valid federation certificates will be required.
+        # Defaults to `true`. To disable certificate verification, uncomment the
+        # following line.
         #
-        #federation_verify_certificates: true
+        #federation_verify_certificates: false
 
         # Skip federation certificate verification on the following whitelist
         # of domains.