summary refs log tree commit diff
path: root/synapse/config/tls.py (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Revert "Move `glob_to_regex` and `re_word_boundary` to ↵Sean Quah2021-12-071-2/+1
| | | | | | `matrix-python-common` (#11505) (#11527) This reverts commit a77c36989785c0d5565ab9a1169f4f88e512ce8a.
* Move `glob_to_regex` and `re_word_boundary` to `matrix-python-common` (#11505)Sean Quah2021-12-061-1/+2
|
* Add missing type hints to config base classes (#11377)Patrick Cloke2021-11-231-1/+1
|
* Remove dead code from acme support. (#11393)Patrick Cloke2021-11-191-50/+0
|
* Docs: Quote wildcard `federation_certificate_verification_whitelist` (#11381)Nicolai Søborg2021-11-181-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Otherwise I get this beautiful stacktrace: ``` python3 -m synapse.app.homeserver --config-path /etc/matrix/homeserver.yaml Traceback (most recent call last): File "/usr/lib/python3.8/runpy.py", line 194, in _run_module_as_main return _run_code(code, main_globals, None, File "/usr/lib/python3.8/runpy.py", line 87, in _run_code exec(code, run_globals) File "/root/synapse/synapse/app/homeserver.py", line 455, in <module> main() File "/root/synapse/synapse/app/homeserver.py", line 445, in main hs = setup(sys.argv[1:]) File "/root/synapse/synapse/app/homeserver.py", line 345, in setup config = HomeServerConfig.load_or_generate_config( File "/root/synapse/synapse/config/_base.py", line 671, in load_or_generate_config config_dict = read_config_files(config_files) File "/root/synapse/synapse/config/_base.py", line 717, in read_config_files yaml_config = yaml.safe_load(file_stream) File "/root/synapse/env/lib/python3.8/site-packages/yaml/__init__.py", line 125, in safe_load return load(stream, SafeLoader) File "/root/synapse/env/lib/python3.8/site-packages/yaml/__init__.py", line 81, in load return loader.get_single_data() File "/root/synapse/env/lib/python3.8/site-packages/yaml/constructor.py", line 49, in get_single_data node = self.get_single_node() File "/root/synapse/env/lib/python3.8/site-packages/yaml/composer.py", line 36, in get_single_node document = self.compose_document() File "/root/synapse/env/lib/python3.8/site-packages/yaml/composer.py", line 55, in compose_document node = self.compose_node(None, None) File "/root/synapse/env/lib/python3.8/site-packages/yaml/composer.py", line 84, in compose_node node = self.compose_mapping_node(anchor) File "/root/synapse/env/lib/python3.8/site-packages/yaml/composer.py", line 133, in compose_mapping_node item_value = self.compose_node(node, item_key) File "/root/synapse/env/lib/python3.8/site-packages/yaml/composer.py", line 82, in compose_node node = self.compose_sequence_node(anchor) File "/root/synapse/env/lib/python3.8/site-packages/yaml/composer.py", line 110, in compose_sequence_node while not self.check_event(SequenceEndEvent): File "/root/synapse/env/lib/python3.8/site-packages/yaml/parser.py", line 98, in check_event self.current_event = self.state() File "/root/synapse/env/lib/python3.8/site-packages/yaml/parser.py", line 379, in parse_block_sequence_first_entry return self.parse_block_sequence_entry() File "/root/synapse/env/lib/python3.8/site-packages/yaml/parser.py", line 384, in parse_block_sequence_entry if not self.check_token(BlockEntryToken, BlockEndToken): File "/root/synapse/env/lib/python3.8/site-packages/yaml/scanner.py", line 116, in check_token self.fetch_more_tokens() File "/root/synapse/env/lib/python3.8/site-packages/yaml/scanner.py", line 227, in fetch_more_tokens return self.fetch_alias() File "/root/synapse/env/lib/python3.8/site-packages/yaml/scanner.py", line 610, in fetch_alias self.tokens.append(self.scan_anchor(AliasToken)) File "/root/synapse/env/lib/python3.8/site-packages/yaml/scanner.py", line 922, in scan_anchor raise ScannerError("while scanning an %s" % name, start_mark, yaml.scanner.ScannerError: while scanning an alias in "/etc/matrix/homeserver.yaml", line 614, column 5 expected alphabetic or numeric character, but found '.' in "/etc/matrix/homeserver.yaml", line 614, column 6 ``` Signed-off-by: Nicolai Søborg <git@xn--sb-lka.org>
* Relax `ignore-missing-imports` for modules that have stubs now and update ↵David Robertson2021-10-081-3/+6
| | | | | | | | | | | | mypy (#11006) Updating mypy past version 0.9 means that third-party stubs are no-longer distributed with typeshed. See http://mypy-lang.blogspot.com/2021/06/mypy-0900-released.html for details. We therefore pull in stub packages in setup.py Additionally, some modules that we were previously ignoring import failures for now have stubs. So let's use them. The rest of this change consists of fixups to make the newer mypy + stubs pass CI. Co-authored-by: Patrick Cloke <clokep@users.noreply.github.com>
* [pyupgrade] `synapse/` (#10348)Jonathan de Jong2021-07-191-4/+2
| | | | | | | | | This PR is tantamount to running ``` pyupgrade --py36-plus --keep-percent-format `find synapse/ -type f -name "*.py"` ``` Part of #9744
* Use inline type hints in various other places (in `synapse/`) (#10380)Jonathan de Jong2021-07-151-3/+3
|
* Remove support for ACME v1 (#10194)Brendan Abolivier2021-06-171-145/+6
| | | | | Fixes #9778 ACME v1 has been fully decommissioned for existing installs on June 1st 2021(see https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430/27), so we can now safely remove it from Synapse.
* Remove redundant code to reload tls cert (#10054)Richard van der Hoff2021-05-271-19/+3
| | | | | we don't need to reload the tls cert if we don't have any tls listeners. Follow-up to #9280.
* Remove tls_fingerprints option (#9280)Jerin J Titus2021-05-241-50/+0
| | | | Signed-off-by: Jerin J Titus <72017981+jerinjtitus@users.noreply.github.com>
* Merge pull request from GHSA-x345-32rc-8h85Richard van der Hoff2021-05-111-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * tests for push rule pattern matching * tests for acl pattern matching * factor out common `re.escape` * Factor out common re.compile * Factor out common anchoring code * add word_boundary support to `glob_to_regex` * Use `glob_to_regex` in push rule evaluator NB that this drops support for character classes. I don't think anyone ever used them. * Improve efficiency of globs with multiple wildcards The idea here is that we compress multiple `*` globs into a single `.*`. We also need to consider `?`, since `*?*` is as hard to implement efficiently as `**`. * add assertion on regex pattern * Fix mypy * Simplify glob_to_regex * Inline the glob_to_regex helper function Signed-off-by: Dan Callahan <danc@element.io> * Moar comments Signed-off-by: Dan Callahan <danc@element.io> Co-authored-by: Dan Callahan <danc@element.io>
* Remove redundant "coding: utf-8" lines (#9786)Jonathan de Jong2021-04-141-1/+0
| | | | | | | Part of #9744 Removes all redundant `# -*- coding: utf-8 -*-` lines from files, as python 3 automatically reads source code as utf-8 now. `Signed-off-by: Jonathan de Jong <jonathan@automatia.nl>`
* Bump black configuration to target py36 (#9781)Dan Callahan2021-04-131-1/+1
| | | Signed-off-by: Dan Callahan <danc@element.io>
* Enable mypy checking for unreachable code and fix instances. (#8432)Patrick Cloke2020-10-011-9/+9
|
* Add prometheus metrics to track federation delays (#8430)Richard van der Hoff2020-10-011-1/+0
| | | | | Add a pair of federation metrics to track the delays in sending PDUs to/from particular servers.
* Replace all remaining six usage with native Python 3 equivalents (#7704)Dagfinn Ilmari Mannsåker2020-06-161-3/+1
|
* Clarify list/set/dict/tuple comprehensions and enforce via flake8 (#6957)Patrick Cloke2020-02-211-1/+1
| | | | Ensure good comprehension hygiene using flake8-comprehensions.
* Linters are hard but in they end they just want what's best for usBrendan Abolivier2020-02-131-1/+1
|
* Add a separator for the config warningBrendan Abolivier2020-02-131-1/+1
|
* Add mention and warning about ACME v1 deprecation to the Synapse configBrendan Abolivier2020-02-131-0/+19
|
* Allow empty federation_certificate_verification_whitelist (#6849)timfi2020-02-061-0/+2
|
* Add config linting script that checks for bool casing (#6203)Andrew Morgan2019-10-231-1/+8
| | | | | Add a linting script that enforces all boolean values in the default config be lowercase. This has annoyed me for a while so I decided to fix it.
* Refactor HomeserverConfig so it can be typechecked (#6137)Amber Brown2019-10-101-3/+6
|
* Fix well-known lookups with the federation certificate whitelist (#5997)Amber Brown2019-09-141-1/+8
|
* Config templating (#5900)Jorik Schellekens2019-08-281-12/+38
| | | | | | | | | | | | Template config files * Imagine a system composed entirely of x, y, z etc and the basic operations.. Wait George, why XOR? Why not just neq? George: Eh, I didn't think of that.. Co-Authored-By: Erik Johnston <erik@matrix.org>
* Update the TLS cipher string and provide configurability for TLS on outgoing ↵Amber Brown2019-06-281-1/+31
| | | | federation (#5550)
* Don't load the generated config as the default.Richard van der Hoff2019-06-241-1/+3
| | | | It's too confusing.
* Allow configuration of the path used for ACME account keys.Richard van der Hoff2019-06-241-2/+14
| | | | | Because sticking it in the same place as the config isn't necessarily the right thing to do.
* Pass config_dir_path and data_dir_path into Config.read_config. (#5522)Richard van der Hoff2019-06-241-1/+1
| | | | | | * Pull config_dir_path and data_dir_path calculation out of read_config_files * Pass config_dir_path and data_dir_path into read_config
* Run Black. (#5482)Amber Brown2019-06-201-23/+29
|
* Merge branch 'rav/fix_custom_ca' into rav/enable_tls_verificationRichard van der Hoff2019-06-051-1/+1
|\
| * Fix `federation_custom_ca_list` configuration option.Richard van der Hoff2019-06-051-1/+1
| | | | | | | | Previously, setting this option would cause an exception at startup.
* | Validate federation server TLS certificates by default.Richard van der Hoff2019-06-051-5/+5
|/
* Config option for verifying federation certificates (MSC 1711) (#4967)Andrew Morgan2019-04-251-6/+89
|
* Document using a certificate with a full chain (#4849)Andrew Morgan2019-03-131-0/+5
|
* Fix ACME config for python 2. (#4717)Richard van der Hoff2019-02-251-3/+7
| | | Fixes #4675.
* Attempt to make default config more consistentRichard van der Hoff2019-02-191-10/+10
| | | | | | The general idea here is that config examples should just have a hash and no extraneous whitespace, both to make it easier for people who don't understand yaml, and to make the examples stand out from the comments.
* Improve config documentationBrendan Abolivier2019-02-191-3/+11
|
* Use a configuration parameter to give the domain to generate a certificate forBrendan Abolivier2019-02-181-0/+7
|
* Disable TLS by default (#4614)Richard van der Hoff2019-02-121-3/+3
|
* Fix error when loading cert if tls is disabled (#4618)Richard van der Hoff2019-02-121-15/+42
| | | | | | If TLS is disabled, it should not be an error if no cert is given. Fixes #4554.
* fix testsRichard van der Hoff2019-02-111-1/+1
|
* Infer no_tls from presence of TLS listenersRichard van der Hoff2019-02-111-8/+2
| | | | | Rather than have to specify `no_tls` explicitly, infer whether we need to load the TLS keys etc from whether we have any TLS-enabled listeners.
* Logging improvements around TLS certsRichard van der Hoff2019-02-111-18/+36
| | | | | Log which file we're reading keys and certs from, and refactor the code a bit in preparation for other work
* ACME Reprovisioning (#4522)Amber Brown2019-02-111-1/+11
|
* Be tolerant of blank TLS fingerprints config (#4589)Amber Brown2019-02-111-1/+5
|
* Fix default ACME config for py2 (#4564)Richard van der Hoff2019-02-051-1/+1
| | | Fixes #4559
* fix typo in config comments (#4557)Richard van der Hoff2019-02-051-2/+2
|
* ACME config cleanups (#4525)Richard van der Hoff2019-01-301-26/+74
| | | | | | | | | | | | | | | | * Handle listening for ACME requests on IPv6 addresses the weird url-but-not-actually-a-url-string doesn't handle IPv6 addresses without extra quoting. Building a string which you are about to parse again seems like a weird choice. Let's just use listenTCP, which is consistent with what we do elsewhere. * Clean up the default ACME config make it look a bit more consistent with everything else, and tweak the defaults to listen on port 80. * newsfile
* Do not generate self-signed TLS certificates by default. (#4509)Amber Brown2019-01-291-43/+18
|
* Support ACME for certificate provisioning (#4384)Amber Brown2019-01-231-24/+91
|
* Require ECDH key exchange & remove dh_params (#4429)Amber Brown2019-01-221-40/+0
| | | * remove dh_params and set better cipher string
* run isortAmber Brown2018-07-091-5/+6
|
* Open certificate files as bytesAdrian Tschira2018-04-101-2/+2
| | | | | | That's what pyOpenSSL expects on python3 Signed-off-by: Adrian Tschira <nota@notafile.com>
* fix typoMatthew Hodgson2018-01-161-1/+1
|
* tip for generating tls_fingerprintsMatthew Hodgson2017-10-241-0/+6
|
* Improve error handling for missing files (#2551)Richard van der Hoff2017-10-171-3/+3
| | | | | | | | | | | `os.path.exists` doesn't allow us to distinguish between permissions errors and the path actually not existing, which repeatedly confuses people. It also means that we try to overwrite existing key files, which is super-confusing. (cf issues #2455, #2379). Use os.stat instead. Also, don't recomemnd the the use of --generate-config, which screws everything up if you're using debian (cf #2455).
* Fix typo in config comments.Tyler Smith2017-02-111-1/+1
| | | | Signed-off-by: Tyler Smith <tylersmith.me@gmail.com>
* Explain how long the servers can cache the TLS fingerprints forMark Haines2016-10-121-3/+4
|
* Improve comment formattingMark Haines2016-10-121-1/+1
|
* Add config option for adding additional TLS fingerprintsMark Haines2016-10-111-0/+37
|
* copyrightsMatthew Hodgson2016-01-071-1/+1
|
* Implement configurable stats reportingDaniel Wagner-Hall2015-09-221-1/+1
| | | | | | | | | | SYN-287 This requires that HS owners either opt in or out of stats reporting. When --generate-config is passed, --report-stats must be specified If an already-generated config is used, and doesn't have the report_stats key, it is requested to be set.
* Use shorter config key nameDaniel Wagner-Hall2015-09-151-3/+3
|
* Better document the intent of the insecure SSL settingDaniel Wagner-Hall2015-09-091-2/+6
|
* Allow configuration to ignore invalid SSL certsDaniel Wagner-Hall2015-09-091-0/+4
| | | | | This will be useful for sytest, and sytest only, hence the aggressive config key name.
* Merge branch 'master' of github.com:matrix-org/synapse into developErik Johnston2015-07-211-2/+2
|\
| * typoMatthew Hodgson2015-07-081-2/+2
| |
* | We don't want semicolons.Erik Johnston2015-07-091-1/+1
| |
* | remove the tls_certificate_chain_path param and simply support ↵Matthew Hodgson2015-07-091-21/+9
| | | | | | | | tls_certificate_path pointing to a file containing a chain of certificates
* | document tls_certificate_chain_path more clearlyMatthew Hodgson2015-07-091-0/+5
| |
* | oops, context.tls_certificate_chain_file() expects a file, not a certificate.Matthew Hodgson2015-07-081-4/+1
| |
* | *cough*Matthew Hodgson2015-07-081-2/+3
| |
* | add new optional config for tls_certificate_chain_path for folks with ↵Matthew Hodgson2015-07-081-3/+17
|/ | | | intermediary SSL certs
* Write a default log_config when generating configMark Haines2015-04-301-1/+1
|
* Manually generate the default config yaml, remove most of the commandline ↵Mark Haines2015-04-301-40/+38
| | | | arguments for synapse anticipating that people will use the yaml instead. Simpify implementing config options by not requiring the classes to hit the super class
* Unused importErik Johnston2015-03-061-1/+1
|
* Don't look for an TLS private key if we have set --no-tlsErik Johnston2015-03-061-4/+13
|
* Update copyright noticesMark Haines2015-01-061-1/+1
|
* Fix pep8 warningsMark Haines2014-10-301-1/+1
|
* fix the copyright holder from matrix.org to OpenMarket Ltd, as matrix.org ↵Matthew Hodgson2014-09-031-1/+1
| | | | hasn't been incorporated in time for launch.
* Fix typo when reading TLS configMark Haines2014-09-021-1/+1
|
* More helpful error messages for missing configMark Haines2014-09-021-3/+5
|
* Use pregenerated DH params when generating configMark Haines2014-09-011-7/+29
|
* Fix homeserver config parsingMark Haines2014-09-011-1/+1
|
* Add config tree to synapse. Add support for reading config from a fileMark Haines2014-08-311-0/+106