Merge pull request #5359 from matrix-org/rav/enable_tls_verification
Validate federation server TLS certificates by default.pull/5369/head
commit
cb3b381fcb
|
@ -0,0 +1 @@
|
|||
Validate federation server TLS certificates by default (implements [MSC1711](https://github.com/matrix-org/matrix-doc/blob/master/proposals/1711-x509-for-federation.md)).
|
|
@ -329,12 +329,12 @@ listeners:
|
|||
#
|
||||
#tls_private_key_path: "CONFDIR/SERVERNAME.tls.key"
|
||||
|
||||
# Whether to verify TLS certificates when sending federation traffic.
|
||||
# Whether to verify TLS server certificates for outbound federation requests.
|
||||
#
|
||||
# This currently defaults to `false`, however this will change in
|
||||
# Synapse 1.0 when valid federation certificates will be required.
|
||||
# Defaults to `true`. To disable certificate verification, uncomment the
|
||||
# following line.
|
||||
#
|
||||
#federation_verify_certificates: true
|
||||
#federation_verify_certificates: false
|
||||
|
||||
# Skip federation certificate verification on the following whitelist
|
||||
# of domains.
|
||||
|
|
|
@ -74,7 +74,7 @@ class TlsConfig(Config):
|
|||
|
||||
# Whether to verify certificates on outbound federation traffic
|
||||
self.federation_verify_certificates = config.get(
|
||||
"federation_verify_certificates", False,
|
||||
"federation_verify_certificates", True,
|
||||
)
|
||||
|
||||
# Whitelist of domains to not verify certificates for
|
||||
|
@ -241,12 +241,12 @@ class TlsConfig(Config):
|
|||
#
|
||||
#tls_private_key_path: "%(tls_private_key_path)s"
|
||||
|
||||
# Whether to verify TLS certificates when sending federation traffic.
|
||||
# Whether to verify TLS server certificates for outbound federation requests.
|
||||
#
|
||||
# This currently defaults to `false`, however this will change in
|
||||
# Synapse 1.0 when valid federation certificates will be required.
|
||||
# Defaults to `true`. To disable certificate verification, uncomment the
|
||||
# following line.
|
||||
#
|
||||
#federation_verify_certificates: true
|
||||
#federation_verify_certificates: false
|
||||
|
||||
# Skip federation certificate verification on the following whitelist
|
||||
# of domains.
|
||||
|
|
|
@ -27,6 +27,7 @@ from twisted.web.http import HTTPChannel
|
|||
from twisted.web.http_headers import Headers
|
||||
from twisted.web.iweb import IPolicyForHTTPS
|
||||
|
||||
from synapse.config.homeserver import HomeServerConfig
|
||||
from synapse.crypto.context_factory import ClientTLSOptionsFactory
|
||||
from synapse.http.federation.matrix_federation_agent import (
|
||||
MatrixFederationAgent,
|
||||
|
@ -52,11 +53,16 @@ class MatrixFederationAgentTests(TestCase):
|
|||
|
||||
self.well_known_cache = TTLCache("test_cache", timer=self.reactor.seconds)
|
||||
|
||||
# for now, we disable cert verification for the test, since the cert we
|
||||
# present will not be trusted. We should do better here, though.
|
||||
config_dict = default_config("test", parse=False)
|
||||
config_dict["federation_verify_certificates"] = False
|
||||
config = HomeServerConfig()
|
||||
config.parse_config_dict(config_dict)
|
||||
|
||||
self.agent = MatrixFederationAgent(
|
||||
reactor=self.reactor,
|
||||
tls_client_options_factory=ClientTLSOptionsFactory(
|
||||
default_config("test", parse=True)
|
||||
),
|
||||
tls_client_options_factory=ClientTLSOptionsFactory(config),
|
||||
_well_known_tls_policy=TrustingTLSPolicyForHTTPS(),
|
||||
_srv_resolver=self.mock_resolver,
|
||||
_well_known_cache=self.well_known_cache,
|
||||
|
|
Loading…
Reference in New Issue