summary refs log tree commit diff
path: root/synapse/config/tls.py (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Config templating (#5900)Jorik Schellekens2019-08-281-12/+38
| | | | | | | | | | | | Template config files * Imagine a system composed entirely of x, y, z etc and the basic operations.. Wait George, why XOR? Why not just neq? George: Eh, I didn't think of that.. Co-Authored-By: Erik Johnston <erik@matrix.org>
* Update the TLS cipher string and provide configurability for TLS on outgoing ↵Amber Brown2019-06-281-1/+31
| | | | federation (#5550)
* Don't load the generated config as the default.Richard van der Hoff2019-06-241-1/+3
| | | | It's too confusing.
* Allow configuration of the path used for ACME account keys.Richard van der Hoff2019-06-241-2/+14
| | | | | Because sticking it in the same place as the config isn't necessarily the right thing to do.
* Pass config_dir_path and data_dir_path into Config.read_config. (#5522)Richard van der Hoff2019-06-241-1/+1
| | | | | | * Pull config_dir_path and data_dir_path calculation out of read_config_files * Pass config_dir_path and data_dir_path into read_config
* Run Black. (#5482)Amber Brown2019-06-201-23/+29
|
* Merge branch 'rav/fix_custom_ca' into rav/enable_tls_verificationRichard van der Hoff2019-06-051-1/+1
|\
| * Fix `federation_custom_ca_list` configuration option.Richard van der Hoff2019-06-051-1/+1
| | | | | | | | Previously, setting this option would cause an exception at startup.
* | Validate federation server TLS certificates by default.Richard van der Hoff2019-06-051-5/+5
|/
* Config option for verifying federation certificates (MSC 1711) (#4967)Andrew Morgan2019-04-251-6/+89
|
* Document using a certificate with a full chain (#4849)Andrew Morgan2019-03-131-0/+5
|
* Fix ACME config for python 2. (#4717)Richard van der Hoff2019-02-251-3/+7
| | | Fixes #4675.
* Attempt to make default config more consistentRichard van der Hoff2019-02-191-10/+10
| | | | | | The general idea here is that config examples should just have a hash and no extraneous whitespace, both to make it easier for people who don't understand yaml, and to make the examples stand out from the comments.
* Improve config documentationBrendan Abolivier2019-02-191-3/+11
|
* Use a configuration parameter to give the domain to generate a certificate forBrendan Abolivier2019-02-181-0/+7
|
* Disable TLS by default (#4614)Richard van der Hoff2019-02-121-3/+3
|
* Fix error when loading cert if tls is disabled (#4618)Richard van der Hoff2019-02-121-15/+42
| | | | | | If TLS is disabled, it should not be an error if no cert is given. Fixes #4554.
* fix testsRichard van der Hoff2019-02-111-1/+1
|
* Infer no_tls from presence of TLS listenersRichard van der Hoff2019-02-111-8/+2
| | | | | Rather than have to specify `no_tls` explicitly, infer whether we need to load the TLS keys etc from whether we have any TLS-enabled listeners.
* Logging improvements around TLS certsRichard van der Hoff2019-02-111-18/+36
| | | | | Log which file we're reading keys and certs from, and refactor the code a bit in preparation for other work
* ACME Reprovisioning (#4522)Amber Brown2019-02-111-1/+11
|
* Be tolerant of blank TLS fingerprints config (#4589)Amber Brown2019-02-111-1/+5
|
* Fix default ACME config for py2 (#4564)Richard van der Hoff2019-02-051-1/+1
| | | Fixes #4559
* fix typo in config comments (#4557)Richard van der Hoff2019-02-051-2/+2
|
* ACME config cleanups (#4525)Richard van der Hoff2019-01-301-26/+74
| | | | | | | | | | | | | | | | * Handle listening for ACME requests on IPv6 addresses the weird url-but-not-actually-a-url-string doesn't handle IPv6 addresses without extra quoting. Building a string which you are about to parse again seems like a weird choice. Let's just use listenTCP, which is consistent with what we do elsewhere. * Clean up the default ACME config make it look a bit more consistent with everything else, and tweak the defaults to listen on port 80. * newsfile
* Do not generate self-signed TLS certificates by default. (#4509)Amber Brown2019-01-291-43/+18
|
* Support ACME for certificate provisioning (#4384)Amber Brown2019-01-231-24/+91
|
* Require ECDH key exchange & remove dh_params (#4429)Amber Brown2019-01-221-40/+0
| | | * remove dh_params and set better cipher string
* run isortAmber Brown2018-07-091-5/+6
|
* Open certificate files as bytesAdrian Tschira2018-04-101-2/+2
| | | | | | That's what pyOpenSSL expects on python3 Signed-off-by: Adrian Tschira <nota@notafile.com>
* fix typoMatthew Hodgson2018-01-161-1/+1
|
* tip for generating tls_fingerprintsMatthew Hodgson2017-10-241-0/+6
|
* Improve error handling for missing files (#2551)Richard van der Hoff2017-10-171-3/+3
| | | | | | | | | | | `os.path.exists` doesn't allow us to distinguish between permissions errors and the path actually not existing, which repeatedly confuses people. It also means that we try to overwrite existing key files, which is super-confusing. (cf issues #2455, #2379). Use os.stat instead. Also, don't recomemnd the the use of --generate-config, which screws everything up if you're using debian (cf #2455).
* Fix typo in config comments.Tyler Smith2017-02-111-1/+1
| | | | Signed-off-by: Tyler Smith <tylersmith.me@gmail.com>
* Explain how long the servers can cache the TLS fingerprints forMark Haines2016-10-121-3/+4
|
* Improve comment formattingMark Haines2016-10-121-1/+1
|
* Add config option for adding additional TLS fingerprintsMark Haines2016-10-111-0/+37
|
* copyrightsMatthew Hodgson2016-01-071-1/+1
|
* Implement configurable stats reportingDaniel Wagner-Hall2015-09-221-1/+1
| | | | | | | | | | SYN-287 This requires that HS owners either opt in or out of stats reporting. When --generate-config is passed, --report-stats must be specified If an already-generated config is used, and doesn't have the report_stats key, it is requested to be set.
* Use shorter config key nameDaniel Wagner-Hall2015-09-151-3/+3
|
* Better document the intent of the insecure SSL settingDaniel Wagner-Hall2015-09-091-2/+6
|
* Allow configuration to ignore invalid SSL certsDaniel Wagner-Hall2015-09-091-0/+4
| | | | | This will be useful for sytest, and sytest only, hence the aggressive config key name.
* Merge branch 'master' of github.com:matrix-org/synapse into developErik Johnston2015-07-211-2/+2
|\
| * typoMatthew Hodgson2015-07-081-2/+2
| |
* | We don't want semicolons.Erik Johnston2015-07-091-1/+1
| |
* | remove the tls_certificate_chain_path param and simply support ↵Matthew Hodgson2015-07-091-21/+9
| | | | | | | | tls_certificate_path pointing to a file containing a chain of certificates
* | document tls_certificate_chain_path more clearlyMatthew Hodgson2015-07-091-0/+5
| |
* | oops, context.tls_certificate_chain_file() expects a file, not a certificate.Matthew Hodgson2015-07-081-4/+1
| |
* | *cough*Matthew Hodgson2015-07-081-2/+3
| |
* | add new optional config for tls_certificate_chain_path for folks with ↵Matthew Hodgson2015-07-081-3/+17
|/ | | | intermediary SSL certs
* Write a default log_config when generating configMark Haines2015-04-301-1/+1
|
* Manually generate the default config yaml, remove most of the commandline ↵Mark Haines2015-04-301-40/+38
| | | | arguments for synapse anticipating that people will use the yaml instead. Simpify implementing config options by not requiring the classes to hit the super class
* Unused importErik Johnston2015-03-061-1/+1
|
* Don't look for an TLS private key if we have set --no-tlsErik Johnston2015-03-061-4/+13
|
* Update copyright noticesMark Haines2015-01-061-1/+1
|
* Fix pep8 warningsMark Haines2014-10-301-1/+1
|
* fix the copyright holder from matrix.org to OpenMarket Ltd, as matrix.org ↵Matthew Hodgson2014-09-031-1/+1
| | | | hasn't been incorporated in time for launch.
* Fix typo when reading TLS configMark Haines2014-09-021-1/+1
|
* More helpful error messages for missing configMark Haines2014-09-021-3/+5
|
* Use pregenerated DH params when generating configMark Haines2014-09-011-7/+29
|
* Fix homeserver config parsingMark Haines2014-09-011-1/+1
|
* Add config tree to synapse. Add support for reading config from a fileMark Haines2014-08-311-0/+106