Config option for verifying federation certificates

3 files changed, 30 insertions, 2 deletions

diff --git a/synapse/config/server.py b/synapse/config/server.py

index 08e4e45482..affba6d920 100644
--- a/synapse/config/server.py
+++ b/synapse/config/server.py
@@ -110,6 +110,22 @@ class ServerConfig(Config):
         # due to resource constraints
         self.admin_contact = config.get("admin_contact", None)
 
+        self.federation_verify_certificates = config.get(
+            "federation_verify_certificates", False,
+        )
+
+        # Whitelist of domains to not verify certificates for
+        self.federation_certificate_verification_whitelist = None
+        federation_certificate_verification_whitelist = config.get(
+            "federation_certificate_verification_whitelist", None
+        )
+
+        # Store whitelisted domains in a hash for fast lookup
+        if federation_certificate_verification_whitelist is not None:
+            self.federation_certificate_verification_whitelist = {}
+            for domain in federation_certificate_verification_whitelist:
+                self.federation_certificate_verification_whitelist[domain] = True
+
         # FIXME: federation_domain_whitelist needs sytests
         self.federation_domain_whitelist = None
         federation_domain_whitelist = config.get(
@@ -339,6 +355,18 @@ class ServerConfig(Config):
         #
         #enable_search: false
 
+        # Whether to verify TLS certificates when sending federation traffic.
+        #
+        #federation_verify_certificates: true
+
+        # Prevent federation certificate validation on the following whitelist
+        # of domains. Only effective if federation_verify_certicates is true.
+        #
+        #federation_certificate_validation_whitelist:
+        #  - lon.example.com
+        #  - nyc.example.com
+        #  - syd.example.com
+
         # Restrict federation to the following whitelist of domains.
         # N.B. we recommend also firewalling your federation listener to limit
         # inbound federation traffic as early as possible, rather than relying
diff --git a/synapse/crypto/context_factory.py b/synapse/crypto/context_factory.py

index 49cbc7098f..96eeb862d1 100644
--- a/synapse/crypto/context_factory.py
+++ b/synapse/crypto/context_factory.py
@@ -127,8 +127,7 @@ class ClientTLSOptionsFactory(object):
     to remote servers for federation."""
 
     def __init__(self, config):
-        # We don't use config options yet
-        self._options = CertificateOptions(verify=False)
+        self._options = CertificateOptions(verify=config.federation_verify_certificates)
 
     def get_options(self, host):
         # Use _makeContext so that we get a fresh OpenSSL CTX each time.
diff --git a/synapse/http/federation/matrix_federation_agent.py b/synapse/http/federation/matrix_federation_agent.py

index 1334c630cc..b254faa4e1 100644
--- a/synapse/http/federation/matrix_federation_agent.py
+++ b/synapse/http/federation/matrix_federation_agent.py
@@ -148,6 +148,7 @@ class MatrixFederationAgent(object):
         if self._tls_client_options_factory is None:
             tls_options = None
         else:
+            # TODO: Check the server we're sending to here and change verify value if necessary
             tls_options = self._tls_client_options_factory.get_options(
                 res.tls_server_name.decode("ascii")
             )