diff options
author | Andrew Morgan <andrew@amorgan.xyz> | 2019-03-28 18:06:31 +0000 |
---|---|---|
committer | Andrew Morgan <andrew@amorgan.xyz> | 2019-03-28 18:08:43 +0000 |
commit | dbb3319e5c55c4b9eb2ab53f8460034891c62403 (patch) | |
tree | 4271c72cfae68ad436b2ca9a7f0f465edf561ded /synapse | |
parent | Allow password providers to bind emails (#4947) (diff) | |
download | synapse-dbb3319e5c55c4b9eb2ab53f8460034891c62403.tar.xz |
Config option for verifying federation certificates
Diffstat (limited to 'synapse')
-rw-r--r-- | synapse/config/server.py | 28 | ||||
-rw-r--r-- | synapse/crypto/context_factory.py | 3 | ||||
-rw-r--r-- | synapse/http/federation/matrix_federation_agent.py | 1 |
3 files changed, 30 insertions, 2 deletions
diff --git a/synapse/config/server.py b/synapse/config/server.py index 08e4e45482..affba6d920 100644 --- a/synapse/config/server.py +++ b/synapse/config/server.py @@ -110,6 +110,22 @@ class ServerConfig(Config): # due to resource constraints self.admin_contact = config.get("admin_contact", None) + self.federation_verify_certificates = config.get( + "federation_verify_certificates", False, + ) + + # Whitelist of domains to not verify certificates for + self.federation_certificate_verification_whitelist = None + federation_certificate_verification_whitelist = config.get( + "federation_certificate_verification_whitelist", None + ) + + # Store whitelisted domains in a hash for fast lookup + if federation_certificate_verification_whitelist is not None: + self.federation_certificate_verification_whitelist = {} + for domain in federation_certificate_verification_whitelist: + self.federation_certificate_verification_whitelist[domain] = True + # FIXME: federation_domain_whitelist needs sytests self.federation_domain_whitelist = None federation_domain_whitelist = config.get( @@ -339,6 +355,18 @@ class ServerConfig(Config): # #enable_search: false + # Whether to verify TLS certificates when sending federation traffic. + # + #federation_verify_certificates: true + + # Prevent federation certificate validation on the following whitelist + # of domains. Only effective if federation_verify_certicates is true. + # + #federation_certificate_validation_whitelist: + # - lon.example.com + # - nyc.example.com + # - syd.example.com + # Restrict federation to the following whitelist of domains. # N.B. we recommend also firewalling your federation listener to limit # inbound federation traffic as early as possible, rather than relying diff --git a/synapse/crypto/context_factory.py b/synapse/crypto/context_factory.py index 49cbc7098f..96eeb862d1 100644 --- a/synapse/crypto/context_factory.py +++ b/synapse/crypto/context_factory.py @@ -127,8 +127,7 @@ class ClientTLSOptionsFactory(object): to remote servers for federation.""" def __init__(self, config): - # We don't use config options yet - self._options = CertificateOptions(verify=False) + self._options = CertificateOptions(verify=config.federation_verify_certificates) def get_options(self, host): # Use _makeContext so that we get a fresh OpenSSL CTX each time. diff --git a/synapse/http/federation/matrix_federation_agent.py b/synapse/http/federation/matrix_federation_agent.py index 1334c630cc..b254faa4e1 100644 --- a/synapse/http/federation/matrix_federation_agent.py +++ b/synapse/http/federation/matrix_federation_agent.py @@ -148,6 +148,7 @@ class MatrixFederationAgent(object): if self._tls_client_options_factory is None: tls_options = None else: + # TODO: Check the server we're sending to here and change verify value if necessary tls_options = self._tls_client_options_factory.get_options( res.tls_server_name.decode("ascii") ) |