Amber Brown
850dcfd2d3
Fix well-known lookups with the federation certificate whitelist ( #5997 )
2019-09-14 04:58:38 +10:00
Jorik Schellekens
6d97843793
Config templating ( #5900 )
...
Template config files
* Imagine a system composed entirely of x, y, z etc and the basic operations..
Wait George, why XOR? Why not just neq?
George: Eh, I didn't think of that..
Co-Authored-By: Erik Johnston <erik@matrix.org>
2019-08-28 13:12:22 +01:00
Amber Brown
be3b901ccd
Update the TLS cipher string and provide configurability for TLS on outgoing federation ( #5550 )
2019-06-28 18:19:09 +10:00
Richard van der Hoff
16b52642e2
Don't load the generated config as the default.
...
It's too confusing.
2019-06-24 14:14:52 +01:00
Richard van der Hoff
edea4bb5be
Allow configuration of the path used for ACME account keys.
...
Because sticking it in the same place as the config isn't necessarily the right
thing to do.
2019-06-24 13:51:22 +01:00
Richard van der Hoff
c3c6b00d95
Pass config_dir_path and data_dir_path into Config.read_config. ( #5522 )
...
* Pull config_dir_path and data_dir_path calculation out of read_config_files
* Pass config_dir_path and data_dir_path into read_config
2019-06-24 11:34:45 +01:00
Amber Brown
32e7c9e7f2
Run Black. ( #5482 )
2019-06-20 19:32:02 +10:00
Richard van der Hoff
7603a706eb
Merge branch 'rav/fix_custom_ca' into rav/enable_tls_verification
2019-06-05 16:32:35 +01:00
Richard van der Hoff
f8a45302c9
Fix `federation_custom_ca_list` configuration option.
...
Previously, setting this option would cause an exception at startup.
2019-06-05 16:19:07 +01:00
Richard van der Hoff
e2dfb922e1
Validate federation server TLS certificates by default.
2019-06-05 14:17:50 +01:00
Andrew Morgan
6824ddd93d
Config option for verifying federation certificates (MSC 1711) ( #4967 )
2019-04-25 14:22:49 +01:00
Andrew Morgan
7998ca3a66
Document using a certificate with a full chain ( #4849 )
2019-03-13 15:26:29 +00:00
Richard van der Hoff
641c409e4e
Fix ACME config for python 2. ( #4717 )
...
Fixes #4675 .
2019-02-25 11:16:33 -08:00
Richard van der Hoff
5f9bdf90fe
Attempt to make default config more consistent
...
The general idea here is that config examples should just have a hash and no
extraneous whitespace, both to make it easier for people who don't understand
yaml, and to make the examples stand out from the comments.
2019-02-19 13:54:29 +00:00
Brendan Abolivier
5a707a2f9a
Improve config documentation
2019-02-19 10:59:26 +00:00
Brendan Abolivier
45bb55c6de
Use a configuration parameter to give the domain to generate a certificate for
2019-02-18 15:46:23 +00:00
Richard van der Hoff
a4ce91396b
Disable TLS by default ( #4614 )
2019-02-12 10:52:08 +00:00
Richard van der Hoff
32b781bfe2
Fix error when loading cert if tls is disabled ( #4618 )
...
If TLS is disabled, it should not be an error if no cert is given.
Fixes #4554 .
2019-02-12 10:51:31 +00:00
Richard van der Hoff
0ca2908653
fix tests
2019-02-11 22:01:27 +00:00
Richard van der Hoff
4fddf8fc77
Infer no_tls from presence of TLS listeners
...
Rather than have to specify `no_tls` explicitly, infer whether we need to load
the TLS keys etc from whether we have any TLS-enabled listeners.
2019-02-11 21:39:14 +00:00
Richard van der Hoff
086f6f27d4
Logging improvements around TLS certs
...
Log which file we're reading keys and certs from, and refactor the code a bit
in preparation for other work
2019-02-11 21:02:06 +00:00
Amber Brown
6e2a5aa050
ACME Reprovisioning ( #4522 )
2019-02-11 10:36:26 +00:00
Amber Brown
4ffd10f46d
Be tolerant of blank TLS fingerprints config ( #4589 )
2019-02-11 10:04:27 +00:00
Richard van der Hoff
bf1e4d96ad
Fix default ACME config for py2 ( #4564 )
...
Fixes #4559
2019-02-05 11:37:33 +00:00
Richard van der Hoff
d7e27a1f08
fix typo in config comments ( #4557 )
2019-02-05 11:32:45 +00:00
Richard van der Hoff
7615a8ced1
ACME config cleanups ( #4525 )
...
* Handle listening for ACME requests on IPv6 addresses
the weird url-but-not-actually-a-url-string doesn't handle IPv6 addresses
without extra quoting. Building a string which you are about to parse again
seems like a weird choice. Let's just use listenTCP, which is consistent with
what we do elsewhere.
* Clean up the default ACME config
make it look a bit more consistent with everything else, and tweak the defaults
to listen on port 80.
* newsfile
2019-01-30 14:17:55 +00:00
Amber Brown
6bd4374636
Do not generate self-signed TLS certificates by default. ( #4509 )
2019-01-29 14:09:10 +00:00
Amber Brown
6129e52f43
Support ACME for certificate provisioning ( #4384 )
2019-01-23 19:39:06 +11:00
Amber Brown
23b0813599
Require ECDH key exchange & remove dh_params ( #4429 )
...
* remove dh_params and set better cipher string
2019-01-22 21:58:50 +11:00
Amber Brown
49af402019
run isort
2018-07-09 16:09:20 +10:00
Adrian Tschira
a3f9ddbede
Open certificate files as bytes
...
That's what pyOpenSSL expects on python3
Signed-off-by: Adrian Tschira <nota@notafile.com>
2018-04-10 17:36:29 +02:00
Matthew Hodgson
5e97ca7ee6
fix typo
2018-01-16 16:52:35 +00:00
Matthew Hodgson
efd0f5a3c5
tip for generating tls_fingerprints
2017-10-24 18:49:49 +01:00
Richard van der Hoff
7216c76654
Improve error handling for missing files ( #2551 )
...
`os.path.exists` doesn't allow us to distinguish between permissions errors and
the path actually not existing, which repeatedly confuses people. It also means
that we try to overwrite existing key files, which is super-confusing. (cf
issues #2455 , #2379 ). Use os.stat instead.
Also, don't recomemnd the the use of --generate-config, which screws everything
up if you're using debian (cf #2455 ).
2017-10-17 14:46:17 +01:00
Tyler Smith
df4407d665
Fix typo in config comments.
...
Signed-off-by: Tyler Smith <tylersmith.me@gmail.com>
2017-02-11 23:02:57 -08:00
Mark Haines
c61ddeedac
Explain how long the servers can cache the TLS fingerprints for
2016-10-12 14:48:24 +01:00
Mark Haines
0af6213019
Improve comment formatting
2016-10-12 14:45:13 +01:00
Mark Haines
6e9f3ab415
Add config option for adding additional TLS fingerprints
2016-10-11 19:14:46 +01:00
Matthew Hodgson
6c28ac260c
copyrights
2016-01-07 04:26:29 +00:00
Daniel Wagner-Hall
7213588083
Implement configurable stats reporting
...
SYN-287
This requires that HS owners either opt in or out of stats reporting.
When --generate-config is passed, --report-stats must be specified
If an already-generated config is used, and doesn't have the
report_stats key, it is requested to be set.
2015-09-22 12:57:40 +01:00
Daniel Wagner-Hall
d4af08a167
Use shorter config key name
2015-09-15 15:50:13 +01:00
Daniel Wagner-Hall
ddfe30ba83
Better document the intent of the insecure SSL setting
2015-09-09 13:26:23 +01:00
Daniel Wagner-Hall
81a93ddcc8
Allow configuration to ignore invalid SSL certs
...
This will be useful for sytest, and sytest only, hence the aggressive
config key name.
2015-09-09 12:02:07 +01:00
Erik Johnston
90dbd71c13
Merge branch 'master' of github.com:matrix-org/synapse into develop
2015-07-21 09:25:30 +01:00
Erik Johnston
294dbd712f
We don't want semicolons.
2015-07-09 11:47:24 +01:00
Matthew Hodgson
fb8d2862c1
remove the tls_certificate_chain_path param and simply support tls_certificate_path pointing to a file containing a chain of certificates
2015-07-09 00:45:41 +01:00
Matthew Hodgson
8ad2d2d1cb
document tls_certificate_chain_path more clearly
2015-07-09 00:06:01 +01:00
Matthew Hodgson
f26a3df1bf
oops, context.tls_certificate_chain_file() expects a file, not a certificate.
2015-07-08 21:33:02 +01:00
Matthew Hodgson
465acb0c6a
*cough*
2015-07-08 18:30:59 +01:00
Matthew Hodgson
64afbe6ccd
add new optional config for tls_certificate_chain_path for folks with intermediary SSL certs
2015-07-08 18:20:02 +01:00