Update the TLS cipher string and provide configurability for TLS on outgoing federation (#5550)

2025-05-02 12:16:09 -04:00 · 2019-06-28 18:19:09 +10:00 · 2019-06-28 18:19:09 +10:00 · be3b901ccd
commit be3b901ccd
parent 9646a593ac
7 changed files with 190 additions and 9 deletions
--- a/synapse/config/tls.py
+++ b/synapse/config/tls.py
@ -23,7 +23,7 @@ import six

 from unpaddedbase64 import encode_base64

-from OpenSSL import crypto
+from OpenSSL import SSL, crypto
 from twisted.internet._sslverify import Certificate, trustRootFromCertificates

 from synapse.config._base import Config, ConfigError
@ -81,6 +81,27 @@ class TlsConfig(Config):
            "federation_verify_certificates", True
        )

+        # Minimum TLS version to use for outbound federation traffic
+        self.federation_client_minimum_tls_version = str(
+            config.get("federation_client_minimum_tls_version", 1)
+        )
+
+        if self.federation_client_minimum_tls_version not in ["1", "1.1", "1.2", "1.3"]:
+            raise ConfigError(
+                "federation_client_minimum_tls_version must be one of: 1, 1.1, 1.2, 1.3"
+            )
+
+        # Prevent people shooting themselves in the foot here by setting it to
+        # the biggest number blindly
+        if self.federation_client_minimum_tls_version == "1.3":
+            if getattr(SSL, "OP_NO_TLSv1_3", None) is None:
+                raise ConfigError(
+                    (
+                        "federation_client_minimum_tls_version cannot be 1.3, "
+                        "your OpenSSL does not support it"
+                    )
+                )
+
        # Whitelist of domains to not verify certificates for
        fed_whitelist_entries = config.get(
            "federation_certificate_verification_whitelist", []
@ -261,6 +282,15 @@ class TlsConfig(Config):
        #
        #federation_verify_certificates: false

+        # The minimum TLS version that will be used for outbound federation requests.
+        #
+        # Defaults to `1`. Configurable to `1`, `1.1`, `1.2`, or `1.3`. Note
+        # that setting this value higher than `1.2` will prevent federation to most
+        # of the public Matrix network: only configure it to `1.3` if you have an
+        # entirely private federation setup and you can ensure TLS 1.3 support.
+        #
+        #federation_client_minimum_tls_version: 1.2
+
        # Skip federation certificate verification on the following whitelist
        # of domains.
        #