Remove tls_fingerprints option (#9280)

Signed-off-by: Jerin J Titus <72017981+jerinjtitus@users.noreply.github.com>
This commit is contained in:
Jerin J Titus 2021-05-24 22:13:30 +05:30 committed by GitHub
parent 82eacb0e07
commit 057ce7b754
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 1 additions and 95 deletions

1
changelog.d/9280.removal Normal file
View File

@ -0,0 +1 @@
Removed support for the deprecated `tls_fingerprints` configuration setting. Contributed by Jerin J Titus.

View File

@ -683,33 +683,6 @@ acme:
# #
account_key_file: DATADIR/acme_account.key account_key_file: DATADIR/acme_account.key
# List of allowed TLS fingerprints for this server to publish along
# with the signing keys for this server. Other matrix servers that
# make HTTPS requests to this server will check that the TLS
# certificates returned by this server match one of the fingerprints.
#
# Synapse automatically adds the fingerprint of its own certificate
# to the list. So if federation traffic is handled directly by synapse
# then no modification to the list is required.
#
# If synapse is run behind a load balancer that handles the TLS then it
# will be necessary to add the fingerprints of the certificates used by
# the loadbalancers to this list if they are different to the one
# synapse is using.
#
# Homeservers are permitted to cache the list of TLS fingerprints
# returned in the key responses up to the "valid_until_ts" returned in
# key. It may be necessary to publish the fingerprints of a new
# certificate and wait until the "valid_until_ts" of the previous key
# responses have passed before deploying it.
#
# You can calculate a fingerprint from a given TLS listener via:
# openssl s_client -connect $host:$port < /dev/null 2> /dev/null |
# openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '='
# or by checking matrix.org/federationtester/api/report?server_name=$host
#
#tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}]
## Federation ## ## Federation ##

View File

@ -1,4 +1,3 @@
import hashlib
import json import json
import sys import sys
import time import time
@ -54,15 +53,9 @@ def convert_v1_to_v2(server_name, valid_until, keys, certificate):
"server_name": server_name, "server_name": server_name,
"verify_keys": {key_id: {"key": key} for key_id, key in keys.items()}, "verify_keys": {key_id: {"key": key} for key_id, key in keys.items()},
"valid_until_ts": valid_until, "valid_until_ts": valid_until,
"tls_fingerprints": [fingerprint(certificate)],
} }
def fingerprint(certificate):
finger = hashlib.sha256(certificate)
return {"sha256": encode_base64(finger.digest())}
def rows_v2(server, json): def rows_v2(server, json):
valid_until = json["valid_until_ts"] valid_until = json["valid_until_ts"]
key_json = encode_canonical_json(json) key_json = encode_canonical_json(json)

View File

@ -16,11 +16,8 @@ import logging
import os import os
import warnings import warnings
from datetime import datetime from datetime import datetime
from hashlib import sha256
from typing import List, Optional, Pattern from typing import List, Optional, Pattern
from unpaddedbase64 import encode_base64
from OpenSSL import SSL, crypto from OpenSSL import SSL, crypto
from twisted.internet._sslverify import Certificate, trustRootFromCertificates from twisted.internet._sslverify import Certificate, trustRootFromCertificates
@ -83,13 +80,6 @@ class TlsConfig(Config):
"configured." "configured."
) )
self._original_tls_fingerprints = config.get("tls_fingerprints", [])
if self._original_tls_fingerprints is None:
self._original_tls_fingerprints = []
self.tls_fingerprints = list(self._original_tls_fingerprints)
# Whether to verify certificates on outbound federation traffic # Whether to verify certificates on outbound federation traffic
self.federation_verify_certificates = config.get( self.federation_verify_certificates = config.get(
"federation_verify_certificates", True "federation_verify_certificates", True
@ -248,19 +238,6 @@ class TlsConfig(Config):
e, e,
) )
self.tls_fingerprints = list(self._original_tls_fingerprints)
if self.tls_certificate:
# Check that our own certificate is included in the list of fingerprints
# and include it if it is not.
x509_certificate_bytes = crypto.dump_certificate(
crypto.FILETYPE_ASN1, self.tls_certificate
)
sha256_fingerprint = encode_base64(sha256(x509_certificate_bytes).digest())
sha256_fingerprints = {f["sha256"] for f in self.tls_fingerprints}
if sha256_fingerprint not in sha256_fingerprints:
self.tls_fingerprints.append({"sha256": sha256_fingerprint})
def generate_config_section( def generate_config_section(
self, self,
config_dir_path, config_dir_path,
@ -443,33 +420,6 @@ class TlsConfig(Config):
# If unspecified, we will use CONFDIR/client.key. # If unspecified, we will use CONFDIR/client.key.
# #
account_key_file: %(default_acme_account_file)s account_key_file: %(default_acme_account_file)s
# List of allowed TLS fingerprints for this server to publish along
# with the signing keys for this server. Other matrix servers that
# make HTTPS requests to this server will check that the TLS
# certificates returned by this server match one of the fingerprints.
#
# Synapse automatically adds the fingerprint of its own certificate
# to the list. So if federation traffic is handled directly by synapse
# then no modification to the list is required.
#
# If synapse is run behind a load balancer that handles the TLS then it
# will be necessary to add the fingerprints of the certificates used by
# the loadbalancers to this list if they are different to the one
# synapse is using.
#
# Homeservers are permitted to cache the list of TLS fingerprints
# returned in the key responses up to the "valid_until_ts" returned in
# key. It may be necessary to publish the fingerprints of a new
# certificate and wait until the "valid_until_ts" of the previous key
# responses have passed before deploying it.
#
# You can calculate a fingerprint from a given TLS listener via:
# openssl s_client -connect $host:$port < /dev/null 2> /dev/null |
# openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '='
# or by checking matrix.org/federationtester/api/report?server_name=$host
#
#tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}]
""" """
# Lowercase the string representation of boolean values # Lowercase the string representation of boolean values
% { % {

View File

@ -48,11 +48,6 @@ class LocalKey(Resource):
"key": # base64 encoded NACL verification key. "key": # base64 encoded NACL verification key.
} }
}, },
"tls_fingerprints": [ # Fingerprints of the TLS certs this server uses.
{
"sha256": # base64 encoded sha256 fingerprint of the X509 cert
},
],
"signatures": { "signatures": {
"this.server.example.com": { "this.server.example.com": {
"algorithm:version": # NACL signature for this server "algorithm:version": # NACL signature for this server
@ -89,14 +84,11 @@ class LocalKey(Resource):
"expired_ts": key.expired_ts, "expired_ts": key.expired_ts,
} }
tls_fingerprints = self.config.tls_fingerprints
json_object = { json_object = {
"valid_until_ts": self.valid_until_ts, "valid_until_ts": self.valid_until_ts,
"server_name": self.config.server_name, "server_name": self.config.server_name,
"verify_keys": verify_keys, "verify_keys": verify_keys,
"old_verify_keys": old_verify_keys, "old_verify_keys": old_verify_keys,
"tls_fingerprints": tls_fingerprints,
} }
for key in self.config.signing_key: for key in self.config.signing_key:
json_object = sign_json(json_object, self.config.server_name, key) json_object = sign_json(json_object, self.config.server_name, key)

View File

@ -73,9 +73,6 @@ class RemoteKey(DirectServeJsonResource):
"expired_ts": 0, # when the key stop being used. "expired_ts": 0, # when the key stop being used.
} }
} }
"tls_fingerprints": [
{ "sha256": # fingerprint }
]
"signatures": { "signatures": {
"remote.server.example.com": {...} "remote.server.example.com": {...}
"this.server.example.com": {...} "this.server.example.com": {...}