Merge pull request #5359 from matrix-org/rav/enable_tls_verification

Validate federation server TLS certificates by default.
2024-10-01 11:49:51 -04:00 · 2019-06-06 10:50:42 +01:00 · 2019-06-06 10:50:42 +01:00 · cb3b381fcb
commit cb3b381fcb
parent 42555bc18b 7603a706eb
4 changed files with 19 additions and 12 deletions
--- a/changelog.d/5359.feature
+++ b/changelog.d/5359.feature
@ -0,0 +1 @@
 Validate federation server TLS certificates by default (implements [MSC1711](https://github.com/matrix-org/matrix-doc/blob/master/proposals/1711-x509-for-federation.md)).
--- a/docs/sample_config.yaml
+++ b/docs/sample_config.yaml
@ -329,12 +329,12 @@ listeners:
 #
 #tls_private_key_path: "CONFDIR/SERVERNAME.tls.key"
-# Whether to verify TLS certificates when sending federation traffic.
+# Whether to verify TLS server certificates for outbound federation requests.
 #
-# This currently defaults to `false`, however this will change in
+# Defaults to `true`. To disable certificate verification, uncomment the
-# Synapse 1.0 when valid federation certificates will be required.
+# following line.
 #
-#federation_verify_certificates: true
+#federation_verify_certificates: false
 # Skip federation certificate verification on the following whitelist
 # of domains.
--- a/synapse/config/tls.py
+++ b/synapse/config/tls.py
@ -74,7 +74,7 @@ class TlsConfig(Config):
        # Whether to verify certificates on outbound federation traffic
        self.federation_verify_certificates = config.get(
-            "federation_verify_certificates", False,
+            "federation_verify_certificates", True,
        )
        # Whitelist of domains to not verify certificates for
@ -241,12 +241,12 @@ class TlsConfig(Config):
        #
        #tls_private_key_path: "%(tls_private_key_path)s"
-        # Whether to verify TLS certificates when sending federation traffic.
+        # Whether to verify TLS server certificates for outbound federation requests.
        #
-        # This currently defaults to `false`, however this will change in
+        # Defaults to `true`. To disable certificate verification, uncomment the
-        # Synapse 1.0 when valid federation certificates will be required.
+        # following line.
        #
-        #federation_verify_certificates: true
+        #federation_verify_certificates: false
        # Skip federation certificate verification on the following whitelist
        # of domains.
--- a/tests/http/federation/test_matrix_federation_agent.py
+++ b/tests/http/federation/test_matrix_federation_agent.py
@ -27,6 +27,7 @@ from twisted.web.http import HTTPChannel
 from twisted.web.http_headers import Headers
 from twisted.web.iweb import IPolicyForHTTPS
 from synapse.config.homeserver import HomeServerConfig
 from synapse.crypto.context_factory import ClientTLSOptionsFactory
 from synapse.http.federation.matrix_federation_agent import (
    MatrixFederationAgent,
@ -52,11 +53,16 @@ class MatrixFederationAgentTests(TestCase):
        self.well_known_cache = TTLCache("test_cache", timer=self.reactor.seconds)
        # for now, we disable cert verification for the test, since the cert we
        # present will not be trusted. We should do better here, though.
        config_dict = default_config("test", parse=False)
        config_dict["federation_verify_certificates"] = False
        config = HomeServerConfig()
        config.parse_config_dict(config_dict)
        self.agent = MatrixFederationAgent(
            reactor=self.reactor,
-            tls_client_options_factory=ClientTLSOptionsFactory(
+            tls_client_options_factory=ClientTLSOptionsFactory(config),
                default_config("test", parse=True)
            ),
            _well_known_tls_policy=TrustingTLSPolicyForHTTPS(),
            _srv_resolver=self.mock_resolver,
            _well_known_cache=self.well_known_cache,
		`@ -0,0 +1 @@`
							`Validate federation server TLS certificates by default (implements [MSC1711](https://github.com/matrix-org/matrix-doc/blob/master/proposals/1711-x509-for-federation.md)).`