Remove tls_fingerprints option (#9280)
Signed-off-by: Jerin J Titus <72017981+jerinjtitus@users.noreply.github.com>pull/10055/head
							parent
							
								
									82eacb0e07
								
							
						
					
					
						commit
						057ce7b754
					
				|  | @ -0,0 +1 @@ | |||
| Removed support for the deprecated `tls_fingerprints` configuration setting. Contributed by Jerin J Titus. | ||||
|  | @ -683,33 +683,6 @@ acme: | |||
|     # | ||||
|     account_key_file: DATADIR/acme_account.key | ||||
| 
 | ||||
| # List of allowed TLS fingerprints for this server to publish along | ||||
| # with the signing keys for this server. Other matrix servers that | ||||
| # make HTTPS requests to this server will check that the TLS | ||||
| # certificates returned by this server match one of the fingerprints. | ||||
| # | ||||
| # Synapse automatically adds the fingerprint of its own certificate | ||||
| # to the list. So if federation traffic is handled directly by synapse | ||||
| # then no modification to the list is required. | ||||
| # | ||||
| # If synapse is run behind a load balancer that handles the TLS then it | ||||
| # will be necessary to add the fingerprints of the certificates used by | ||||
| # the loadbalancers to this list if they are different to the one | ||||
| # synapse is using. | ||||
| # | ||||
| # Homeservers are permitted to cache the list of TLS fingerprints | ||||
| # returned in the key responses up to the "valid_until_ts" returned in | ||||
| # key. It may be necessary to publish the fingerprints of a new | ||||
| # certificate and wait until the "valid_until_ts" of the previous key | ||||
| # responses have passed before deploying it. | ||||
| # | ||||
| # You can calculate a fingerprint from a given TLS listener via: | ||||
| # openssl s_client -connect $host:$port < /dev/null 2> /dev/null | | ||||
| #   openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '=' | ||||
| # or by checking matrix.org/federationtester/api/report?server_name=$host | ||||
| # | ||||
| #tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}] | ||||
| 
 | ||||
| 
 | ||||
| ## Federation ## | ||||
| 
 | ||||
|  |  | |||
|  | @ -1,4 +1,3 @@ | |||
| import hashlib | ||||
| import json | ||||
| import sys | ||||
| import time | ||||
|  | @ -54,15 +53,9 @@ def convert_v1_to_v2(server_name, valid_until, keys, certificate): | |||
|         "server_name": server_name, | ||||
|         "verify_keys": {key_id: {"key": key} for key_id, key in keys.items()}, | ||||
|         "valid_until_ts": valid_until, | ||||
|         "tls_fingerprints": [fingerprint(certificate)], | ||||
|     } | ||||
| 
 | ||||
| 
 | ||||
| def fingerprint(certificate): | ||||
|     finger = hashlib.sha256(certificate) | ||||
|     return {"sha256": encode_base64(finger.digest())} | ||||
| 
 | ||||
| 
 | ||||
| def rows_v2(server, json): | ||||
|     valid_until = json["valid_until_ts"] | ||||
|     key_json = encode_canonical_json(json) | ||||
|  |  | |||
|  | @ -16,11 +16,8 @@ import logging | |||
| import os | ||||
| import warnings | ||||
| from datetime import datetime | ||||
| from hashlib import sha256 | ||||
| from typing import List, Optional, Pattern | ||||
| 
 | ||||
| from unpaddedbase64 import encode_base64 | ||||
| 
 | ||||
| from OpenSSL import SSL, crypto | ||||
| from twisted.internet._sslverify import Certificate, trustRootFromCertificates | ||||
| 
 | ||||
|  | @ -83,13 +80,6 @@ class TlsConfig(Config): | |||
|                     "configured." | ||||
|                 ) | ||||
| 
 | ||||
|         self._original_tls_fingerprints = config.get("tls_fingerprints", []) | ||||
| 
 | ||||
|         if self._original_tls_fingerprints is None: | ||||
|             self._original_tls_fingerprints = [] | ||||
| 
 | ||||
|         self.tls_fingerprints = list(self._original_tls_fingerprints) | ||||
| 
 | ||||
|         # Whether to verify certificates on outbound federation traffic | ||||
|         self.federation_verify_certificates = config.get( | ||||
|             "federation_verify_certificates", True | ||||
|  | @ -248,19 +238,6 @@ class TlsConfig(Config): | |||
|                     e, | ||||
|                 ) | ||||
| 
 | ||||
|         self.tls_fingerprints = list(self._original_tls_fingerprints) | ||||
| 
 | ||||
|         if self.tls_certificate: | ||||
|             # Check that our own certificate is included in the list of fingerprints | ||||
|             # and include it if it is not. | ||||
|             x509_certificate_bytes = crypto.dump_certificate( | ||||
|                 crypto.FILETYPE_ASN1, self.tls_certificate | ||||
|             ) | ||||
|             sha256_fingerprint = encode_base64(sha256(x509_certificate_bytes).digest()) | ||||
|             sha256_fingerprints = {f["sha256"] for f in self.tls_fingerprints} | ||||
|             if sha256_fingerprint not in sha256_fingerprints: | ||||
|                 self.tls_fingerprints.append({"sha256": sha256_fingerprint}) | ||||
| 
 | ||||
|     def generate_config_section( | ||||
|         self, | ||||
|         config_dir_path, | ||||
|  | @ -443,33 +420,6 @@ class TlsConfig(Config): | |||
|             # If unspecified, we will use CONFDIR/client.key. | ||||
|             # | ||||
|             account_key_file: %(default_acme_account_file)s | ||||
| 
 | ||||
|         # List of allowed TLS fingerprints for this server to publish along | ||||
|         # with the signing keys for this server. Other matrix servers that | ||||
|         # make HTTPS requests to this server will check that the TLS | ||||
|         # certificates returned by this server match one of the fingerprints. | ||||
|         # | ||||
|         # Synapse automatically adds the fingerprint of its own certificate | ||||
|         # to the list. So if federation traffic is handled directly by synapse | ||||
|         # then no modification to the list is required. | ||||
|         # | ||||
|         # If synapse is run behind a load balancer that handles the TLS then it | ||||
|         # will be necessary to add the fingerprints of the certificates used by | ||||
|         # the loadbalancers to this list if they are different to the one | ||||
|         # synapse is using. | ||||
|         # | ||||
|         # Homeservers are permitted to cache the list of TLS fingerprints | ||||
|         # returned in the key responses up to the "valid_until_ts" returned in | ||||
|         # key. It may be necessary to publish the fingerprints of a new | ||||
|         # certificate and wait until the "valid_until_ts" of the previous key | ||||
|         # responses have passed before deploying it. | ||||
|         # | ||||
|         # You can calculate a fingerprint from a given TLS listener via: | ||||
|         # openssl s_client -connect $host:$port < /dev/null 2> /dev/null | | ||||
|         #   openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '=' | ||||
|         # or by checking matrix.org/federationtester/api/report?server_name=$host | ||||
|         # | ||||
|         #tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}] | ||||
|         """ | ||||
|             # Lowercase the string representation of boolean values | ||||
|             % { | ||||
|  |  | |||
|  | @ -48,11 +48,6 @@ class LocalKey(Resource): | |||
|                     "key": # base64 encoded NACL verification key. | ||||
|                 } | ||||
|             }, | ||||
|             "tls_fingerprints": [ # Fingerprints of the TLS certs this server uses. | ||||
|                 { | ||||
|                     "sha256": # base64 encoded sha256 fingerprint of the X509 cert | ||||
|                 }, | ||||
|             ], | ||||
|             "signatures": { | ||||
|                 "this.server.example.com": { | ||||
|                    "algorithm:version": # NACL signature for this server | ||||
|  | @ -89,14 +84,11 @@ class LocalKey(Resource): | |||
|                 "expired_ts": key.expired_ts, | ||||
|             } | ||||
| 
 | ||||
|         tls_fingerprints = self.config.tls_fingerprints | ||||
| 
 | ||||
|         json_object = { | ||||
|             "valid_until_ts": self.valid_until_ts, | ||||
|             "server_name": self.config.server_name, | ||||
|             "verify_keys": verify_keys, | ||||
|             "old_verify_keys": old_verify_keys, | ||||
|             "tls_fingerprints": tls_fingerprints, | ||||
|         } | ||||
|         for key in self.config.signing_key: | ||||
|             json_object = sign_json(json_object, self.config.server_name, key) | ||||
|  |  | |||
|  | @ -73,9 +73,6 @@ class RemoteKey(DirectServeJsonResource): | |||
|                         "expired_ts": 0, # when the key stop being used. | ||||
|                     } | ||||
|                 } | ||||
|                 "tls_fingerprints": [ | ||||
|                     { "sha256": # fingerprint } | ||||
|                 ] | ||||
|                 "signatures": { | ||||
|                     "remote.server.example.com": {...} | ||||
|                     "this.server.example.com": {...} | ||||
|  |  | |||
		Loading…
	
		Reference in New Issue
	
	 Jerin J Titus
						Jerin J Titus