Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Validate federation server TLS certificates by default. #5359

Merged
merged 4 commits into from
Jun 6, 2019
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/5359.feature
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Validate federation server TLS certificates by default (implements [MSC1711](https://github.com/matrix-org/matrix-doc/blob/master/proposals/1711-x509-for-federation.md)).
1 change: 1 addition & 0 deletions changelog.d/5362.bugfix
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Fix `federation_custom_ca_list` configuration option.
8 changes: 4 additions & 4 deletions docs/sample_config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -329,12 +329,12 @@ listeners:
#
#tls_private_key_path: "CONFDIR/SERVERNAME.tls.key"

# Whether to verify TLS certificates when sending federation traffic.
# Whether to verify TLS server certificates for outbound federation requests.
#
# This currently defaults to `false`, however this will change in
# Synapse 1.0 when valid federation certificates will be required.
# Defaults to `true`. To disable certificate verification, uncomment the
# following line.
#
#federation_verify_certificates: true
#federation_verify_certificates: false

# Skip federation certificate verification on the following whitelist
# of domains.
Expand Down
12 changes: 6 additions & 6 deletions synapse/config/tls.py
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ def read_config(self, config):

# Whether to verify certificates on outbound federation traffic
self.federation_verify_certificates = config.get(
"federation_verify_certificates", False,
"federation_verify_certificates", True,
)

# Whitelist of domains to not verify certificates for
Expand Down Expand Up @@ -107,7 +107,7 @@ def read_config(self, config):
certs = []
for ca_file in custom_ca_list:
logger.debug("Reading custom CA certificate file: %s", ca_file)
content = self.read_file(ca_file)
content = self.read_file(ca_file, "federation_custom_ca_list")

# Parse the CA certificates
try:
Expand Down Expand Up @@ -241,12 +241,12 @@ def default_config(self, config_dir_path, server_name, **kwargs):
#
#tls_private_key_path: "%(tls_private_key_path)s"

# Whether to verify TLS certificates when sending federation traffic.
# Whether to verify TLS server certificates for outbound federation requests.
#
# This currently defaults to `false`, however this will change in
# Synapse 1.0 when valid federation certificates will be required.
# Defaults to `true`. To disable certificate verification, uncomment the
# following line.
#
#federation_verify_certificates: true
#federation_verify_certificates: false

# Skip federation certificate verification on the following whitelist
# of domains.
Expand Down
12 changes: 9 additions & 3 deletions tests/http/federation/test_matrix_federation_agent.py
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@
from twisted.web.http_headers import Headers
from twisted.web.iweb import IPolicyForHTTPS

from synapse.config.homeserver import HomeServerConfig
from synapse.crypto.context_factory import ClientTLSOptionsFactory
from synapse.http.federation.matrix_federation_agent import (
MatrixFederationAgent,
Expand All @@ -52,11 +53,16 @@ def setUp(self):

self.well_known_cache = TTLCache("test_cache", timer=self.reactor.seconds)

# for now, we disable cert verification for the test, since the cert we
# present will not be trusted. We should do better here, though.
config_dict = default_config("test", parse=False)
config_dict["federation_verify_certificates"] = False
config = HomeServerConfig()
config.parse_config_dict(config_dict)

self.agent = MatrixFederationAgent(
reactor=self.reactor,
tls_client_options_factory=ClientTLSOptionsFactory(
default_config("test", parse=True)
),
tls_client_options_factory=ClientTLSOptionsFactory(config),
_well_known_tls_policy=TrustingTLSPolicyForHTTPS(),
_srv_resolver=self.mock_resolver,
_well_known_cache=self.well_known_cache,
Expand Down