diff options
author | Amber Brown <hawkowl@atleastfornow.net> | 2019-06-28 18:19:09 +1000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-06-28 18:19:09 +1000 |
commit | be3b901ccdf28d0f81d312d7cd8b7bedb22b4049 (patch) | |
tree | c2d74f0f8aee048f47cdfdc61f83e171201a45e0 /synapse/config | |
parent | Added possibilty to disable local password authentication (#5092) (diff) | |
download | synapse-be3b901ccdf28d0f81d312d7cd8b7bedb22b4049.tar.xz |
Update the TLS cipher string and provide configurability for TLS on outgoing federation (#5550)
Diffstat (limited to 'synapse/config')
-rw-r--r-- | synapse/config/tls.py | 32 |
1 files changed, 31 insertions, 1 deletions
diff --git a/synapse/config/tls.py b/synapse/config/tls.py index 8fcf801418..ca508a224f 100644 --- a/synapse/config/tls.py +++ b/synapse/config/tls.py @@ -23,7 +23,7 @@ import six from unpaddedbase64 import encode_base64 -from OpenSSL import crypto +from OpenSSL import SSL, crypto from twisted.internet._sslverify import Certificate, trustRootFromCertificates from synapse.config._base import Config, ConfigError @@ -81,6 +81,27 @@ class TlsConfig(Config): "federation_verify_certificates", True ) + # Minimum TLS version to use for outbound federation traffic + self.federation_client_minimum_tls_version = str( + config.get("federation_client_minimum_tls_version", 1) + ) + + if self.federation_client_minimum_tls_version not in ["1", "1.1", "1.2", "1.3"]: + raise ConfigError( + "federation_client_minimum_tls_version must be one of: 1, 1.1, 1.2, 1.3" + ) + + # Prevent people shooting themselves in the foot here by setting it to + # the biggest number blindly + if self.federation_client_minimum_tls_version == "1.3": + if getattr(SSL, "OP_NO_TLSv1_3", None) is None: + raise ConfigError( + ( + "federation_client_minimum_tls_version cannot be 1.3, " + "your OpenSSL does not support it" + ) + ) + # Whitelist of domains to not verify certificates for fed_whitelist_entries = config.get( "federation_certificate_verification_whitelist", [] @@ -261,6 +282,15 @@ class TlsConfig(Config): # #federation_verify_certificates: false + # The minimum TLS version that will be used for outbound federation requests. + # + # Defaults to `1`. Configurable to `1`, `1.1`, `1.2`, or `1.3`. Note + # that setting this value higher than `1.2` will prevent federation to most + # of the public Matrix network: only configure it to `1.3` if you have an + # entirely private federation setup and you can ensure TLS 1.3 support. + # + #federation_client_minimum_tls_version: 1.2 + # Skip federation certificate verification on the following whitelist # of domains. # |