Remove tls_fingerprints option (#9280)

Signed-off-by: Jerin J Titus <72017981+jerinjtitus@users.noreply.github.com>
2025-05-04 23:15:02 -04:00 · 2021-05-24 22:13:30 +05:30 · 2021-05-24 22:13:30 +05:30 · 057ce7b754
commit 057ce7b754
parent 82eacb0e07
6 changed files with 1 additions and 95 deletions
--- a/synapse/config/tls.py
+++ b/synapse/config/tls.py
@ -16,11 +16,8 @@ import logging
 import os
 import warnings
 from datetime import datetime
-from hashlib import sha256
 from typing import List, Optional, Pattern

-from unpaddedbase64 import encode_base64
-
 from OpenSSL import SSL, crypto
 from twisted.internet._sslverify import Certificate, trustRootFromCertificates

@ -83,13 +80,6 @@ class TlsConfig(Config):
                    "configured."
                )

-        self._original_tls_fingerprints = config.get("tls_fingerprints", [])
-
-        if self._original_tls_fingerprints is None:
-            self._original_tls_fingerprints = []
-
-        self.tls_fingerprints = list(self._original_tls_fingerprints)
-
        # Whether to verify certificates on outbound federation traffic
        self.federation_verify_certificates = config.get(
            "federation_verify_certificates", True
@ -248,19 +238,6 @@ class TlsConfig(Config):
                    e,
                )

-        self.tls_fingerprints = list(self._original_tls_fingerprints)
-
-        if self.tls_certificate:
-            # Check that our own certificate is included in the list of fingerprints
-            # and include it if it is not.
-            x509_certificate_bytes = crypto.dump_certificate(
-                crypto.FILETYPE_ASN1, self.tls_certificate
-            )
-            sha256_fingerprint = encode_base64(sha256(x509_certificate_bytes).digest())
-            sha256_fingerprints = {f["sha256"] for f in self.tls_fingerprints}
-            if sha256_fingerprint not in sha256_fingerprints:
-                self.tls_fingerprints.append({"sha256": sha256_fingerprint})
-
    def generate_config_section(
        self,
        config_dir_path,
@ -443,33 +420,6 @@ class TlsConfig(Config):
            # If unspecified, we will use CONFDIR/client.key.
            #
            account_key_file: %(default_acme_account_file)s
-
-        # List of allowed TLS fingerprints for this server to publish along
-        # with the signing keys for this server. Other matrix servers that
-        # make HTTPS requests to this server will check that the TLS
-        # certificates returned by this server match one of the fingerprints.
-        #
-        # Synapse automatically adds the fingerprint of its own certificate
-        # to the list. So if federation traffic is handled directly by synapse
-        # then no modification to the list is required.
-        #
-        # If synapse is run behind a load balancer that handles the TLS then it
-        # will be necessary to add the fingerprints of the certificates used by
-        # the loadbalancers to this list if they are different to the one
-        # synapse is using.
-        #
-        # Homeservers are permitted to cache the list of TLS fingerprints
-        # returned in the key responses up to the "valid_until_ts" returned in
-        # key. It may be necessary to publish the fingerprints of a new
-        # certificate and wait until the "valid_until_ts" of the previous key
-        # responses have passed before deploying it.
-        #
-        # You can calculate a fingerprint from a given TLS listener via:
-        # openssl s_client -connect $host:$port < /dev/null 2> /dev/null |
-        #   openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '='
-        # or by checking matrix.org/federationtester/api/report?server_name=$host
-        #
-        #tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}]
        """
            # Lowercase the string representation of boolean values
            % {