summary refs log tree commit diff
path: root/synapse/config/tls.py
diff options
context:
space:
mode:
Diffstat (limited to 'synapse/config/tls.py')
-rw-r--r--synapse/config/tls.py90
1 files changed, 7 insertions, 83 deletions
diff --git a/synapse/config/tls.py b/synapse/config/tls.py
index cb17950d25..336fe3e0da 100644
--- a/synapse/config/tls.py
+++ b/synapse/config/tls.py
@@ -13,7 +13,6 @@
 # limitations under the License.
 
 import logging
-import os
 from typing import Any, List, Optional, Pattern
 
 from matrix_common.regex import glob_to_regex
@@ -143,9 +142,6 @@ class TlsConfig(Config):
 
     def generate_config_section(
         self,
-        config_dir_path: str,
-        data_dir_path: str,
-        server_name: str,
         tls_certificate_path: Optional[str],
         tls_private_key_path: Optional[str],
         **kwargs: Any,
@@ -153,90 +149,18 @@ class TlsConfig(Config):
         """If the TLS paths are not specified the default will be certs in the
         config directory"""
 
-        base_key_name = os.path.join(config_dir_path, server_name)
-
         if bool(tls_certificate_path) != bool(tls_private_key_path):
             raise ConfigError(
                 "Please specify both a cert path and a key path or neither."
             )
 
-        tls_enabled = "" if tls_certificate_path and tls_private_key_path else "#"
-
-        if not tls_certificate_path:
-            tls_certificate_path = base_key_name + ".tls.crt"
-        if not tls_private_key_path:
-            tls_private_key_path = base_key_name + ".tls.key"
-
-        # flake8 doesn't recognise that variables are used in the below string
-        _ = tls_enabled
-
-        return (
-            """\
-        ## TLS ##
-
-        # PEM-encoded X509 certificate for TLS.
-        # This certificate, as of Synapse 1.0, will need to be a valid and verifiable
-        # certificate, signed by a recognised Certificate Authority.
-        #
-        # Be sure to use a `.pem` file that includes the full certificate chain including
-        # any intermediate certificates (for instance, if using certbot, use
-        # `fullchain.pem` as your certificate, not `cert.pem`).
-        #
-        %(tls_enabled)stls_certificate_path: "%(tls_certificate_path)s"
-
-        # PEM-encoded private key for TLS
-        #
-        %(tls_enabled)stls_private_key_path: "%(tls_private_key_path)s"
-
-        # Whether to verify TLS server certificates for outbound federation requests.
-        #
-        # Defaults to `true`. To disable certificate verification, uncomment the
-        # following line.
-        #
-        #federation_verify_certificates: false
-
-        # The minimum TLS version that will be used for outbound federation requests.
-        #
-        # Defaults to `1`. Configurable to `1`, `1.1`, `1.2`, or `1.3`. Note
-        # that setting this value higher than `1.2` will prevent federation to most
-        # of the public Matrix network: only configure it to `1.3` if you have an
-        # entirely private federation setup and you can ensure TLS 1.3 support.
-        #
-        #federation_client_minimum_tls_version: 1.2
-
-        # Skip federation certificate verification on the following whitelist
-        # of domains.
-        #
-        # This setting should only be used in very specific cases, such as
-        # federation over Tor hidden services and similar. For private networks
-        # of homeservers, you likely want to use a private CA instead.
-        #
-        # Only effective if federation_verify_certicates is `true`.
-        #
-        #federation_certificate_verification_whitelist:
-        #  - lon.example.com
-        #  - "*.domain.com"
-        #  - "*.onion"
-
-        # List of custom certificate authorities for federation traffic.
-        #
-        # This setting should only normally be used within a private network of
-        # homeservers.
-        #
-        # Note that this list will replace those that are provided by your
-        # operating environment. Certificates must be in PEM format.
-        #
-        #federation_custom_ca_list:
-        #  - myCA1.pem
-        #  - myCA2.pem
-        #  - myCA3.pem
-        """
-            # Lowercase the string representation of boolean values
-            % {
-                x[0]: str(x[1]).lower() if isinstance(x[1], bool) else x[1]
-                for x in locals().items()
-            }
-        )
+        if tls_certificate_path and tls_private_key_path:
+            return f"""\
+                tls_certificate_path: {tls_certificate_path}
+                tls_private_key_path: {tls_private_key_path}
+                """
+        else:
+            return ""
 
     def read_tls_certificate(self) -> crypto.X509:
         """Reads the TLS certificate from the configured file, and returns it