summary refs log tree commit diff
path: root/synapse/config/tls.py
diff options
context:
space:
mode:
Diffstat (limited to 'synapse/config/tls.py')
-rw-r--r--synapse/config/tls.py24
1 files changed, 19 insertions, 5 deletions
diff --git a/synapse/config/tls.py b/synapse/config/tls.py

index 5f63676d9c..9fcc79816d 100644
--- a/synapse/config/tls.py
+++ b/synapse/config/tls.py
@@ -37,7 +37,7 @@ class TlsConfig(Config):
 
         self.acme_enabled = acme_config.get("enabled", False)
         self.acme_url = acme_config.get(
-            "url", "https://acme-v01.api.letsencrypt.org/directory"
+            "url", u"https://acme-v01.api.letsencrypt.org/directory"
         )
         self.acme_port = acme_config.get("port", 80)
         self.acme_bind_addresses = acme_config.get("bind_addresses", ['::', '0.0.0.0'])
@@ -45,7 +45,11 @@ class TlsConfig(Config):
 
         self.tls_certificate_file = self.abspath(config.get("tls_certificate_path"))
         self.tls_private_key_file = self.abspath(config.get("tls_private_key_path"))
-        self._original_tls_fingerprints = config["tls_fingerprints"]
+        self._original_tls_fingerprints = config.get("tls_fingerprints", [])
+
+        if self._original_tls_fingerprints is None:
+            self._original_tls_fingerprints = []
+
         self.tls_fingerprints = list(self._original_tls_fingerprints)
         self.no_tls = config.get("no_tls", False)
 
@@ -60,10 +64,14 @@ class TlsConfig(Config):
         self.tls_certificate = None
         self.tls_private_key = None
 
-    def is_disk_cert_valid(self):
+    def is_disk_cert_valid(self, allow_self_signed=True):
         """
         Is the certificate we have on disk valid, and if so, for how long?
 
+        Args:
+            allow_self_signed (bool): Should we allow the certificate we
+                read to be self signed?
+
         Returns:
             int: Days remaining of certificate validity.
             None: No certificate exists.
@@ -84,6 +92,12 @@ class TlsConfig(Config):
             logger.exception("Failed to parse existing certificate off disk!")
             raise
 
+        if not allow_self_signed:
+            if tls_certificate.get_subject() == tls_certificate.get_issuer():
+                raise ValueError(
+                    "TLS Certificate is self signed, and this is not permitted"
+                )
+
         # YYYYMMDDhhmmssZ -- in UTC
         expires_on = datetime.strptime(
             tls_certificate.get_notAfter().decode('ascii'), "%Y%m%d%H%M%SZ"
@@ -199,10 +213,10 @@ class TlsConfig(Config):
 
         # If your server runs behind a reverse-proxy which terminates TLS connections
         # (for both client and federation connections), it may be useful to disable
-        # All TLS support for incoming connections. Setting no_tls to False will
+        # All TLS support for incoming connections. Setting no_tls to True will
         # do so (and avoid the need to give synapse a TLS private key).
         #
-        # no_tls: False
+        # no_tls: True
 
         # List of allowed TLS fingerprints for this server to publish along
         # with the signing keys for this server. Other matrix servers that
generated by cgit-magenta 1.5.1 (git 2.48.1) at 2025-10-04 18:57:35 +0000