From 6e9f3ab415b855a032f092baf083f354116db284 Mon Sep 17 00:00:00 2001
From: Mark Haines <mark.haines@matrix.org>
Date: Tue, 11 Oct 2016 19:14:46 +0100
Subject: [PATCH 1/3] Add config option for adding additional TLS fingerprints

---
 synapse/config/tls.py                     | 37 +++++++++++++++++++++++
 synapse/rest/key/v2/local_key_resource.py | 16 +++-------
 2 files changed, 41 insertions(+), 12 deletions(-)

diff --git a/synapse/config/tls.py b/synapse/config/tls.py
index fac855082..956b440f7 100644
--- a/synapse/config/tls.py
+++ b/synapse/config/tls.py
@@ -19,6 +19,9 @@ from OpenSSL import crypto
 import subprocess
 import os
 
+from hashlib import sha256
+from unpaddedbase64 import encode_base64
+
 GENERATE_DH_PARAMS = False
 
 
@@ -42,6 +45,19 @@ class TlsConfig(Config):
             config.get("tls_dh_params_path"), "tls_dh_params"
         )
 
+        self.tls_fingerprints = config["tls_fingerprints"]
+
+        # Check that our own certificate is included in the list of fingerprints
+        # and include it if it is not.
+        x509_certificate_bytes = crypto.dump_certificate(
+            crypto.FILETYPE_ASN1,
+            self.tls_certificate
+        )
+        sha256_fingerprint = encode_base64(sha256(x509_certificate_bytes).digest())
+        sha256_fingerprints = set(f["sha256"] for f in self.tls_fingerprints)
+        if sha256_fingerprint not in sha256_fingerprints:
+            self.tls_fingerprints.append({u"sha256": sha256_fingerprint})
+
         # This config option applies to non-federation HTTP clients
         # (e.g. for talking to recaptcha, identity servers, and such)
         # It should never be used in production, and is intended for
@@ -73,6 +89,27 @@ class TlsConfig(Config):
 
         # Don't bind to the https port
         no_tls: False
+
+        # List of allowed TLS fingerprints for this server to publish along
+        # with the signing keys for this server. Other matrix servers that
+        # make HTTPS requests to this server will check that the TLS
+        # certificates returned by this server match one of the fingerprints.
+        #
+        # Synapse automatically adds its the fingerprint of its own certificate
+        # to the list. So if federation traffic is handle directly by synapse
+        # then no modification to the list is required.
+        #
+        # If synapse is run behind a load balancer that handles the TLS then it
+        # will be necessary to add the fingerprints of the certificates used by
+        # the loadbalancers to this list if they are different to the one
+        # synapse is using.
+        #
+        # Homeservers are permitted to cache the list of TLS fingerprints
+        # returned in the key responses. It may be necessary to publish the
+        # fingerprints of a new certificate and wait for the caches on other
+        # servers to expire before deploying it.
+        tls_fingerprints: []
+        #- {"sha256": "<base64_encoded_sha256_fingerprint>"}
         """ % locals()
 
     def read_tls_certificate(self, cert_path):
diff --git a/synapse/rest/key/v2/local_key_resource.py b/synapse/rest/key/v2/local_key_resource.py
index 93e5b1cbf..1cf69f3ed 100644
--- a/synapse/rest/key/v2/local_key_resource.py
+++ b/synapse/rest/key/v2/local_key_resource.py
@@ -19,8 +19,6 @@ from synapse.http.server import respond_with_json_bytes
 from signedjson.sign import sign_json
 from unpaddedbase64 import encode_base64
 from canonicaljson import encode_canonical_json
-from hashlib import sha256
-from OpenSSL import crypto
 import logging
 
 
@@ -49,7 +47,8 @@ class LocalKey(Resource):
                     "key": # base64 encoded NACL verification key.
                 }
             }
-            "tls_certificate": # base64 ASN.1 DER encoded X.509 tls cert.
+            "tls_fingerprints": # Fingerprints of the TLS certs this server uses.
+                - {"sha256": "..."}
             "signatures": {
                 "this.server.example.com": {
                    "algorithm:version": # NACL signature for this server
@@ -90,21 +89,14 @@ class LocalKey(Resource):
                 u"expired_ts": key.expired,
             }
 
-        x509_certificate_bytes = crypto.dump_certificate(
-            crypto.FILETYPE_ASN1,
-            self.config.tls_certificate
-        )
-
-        sha256_fingerprint = sha256(x509_certificate_bytes).digest()
+        tls_fingerprints = self.config.tls_fingerprints
 
         json_object = {
             u"valid_until_ts": self.valid_until_ts,
             u"server_name": self.config.server_name,
             u"verify_keys": verify_keys,
             u"old_verify_keys": old_verify_keys,
-            u"tls_fingerprints": [{
-                u"sha256": encode_base64(sha256_fingerprint),
-            }]
+            u"tls_fingerprints": tls_fingerprints,
         }
         for key in self.config.signing_key:
             json_object = sign_json(

From 0af6213019076befbe299fcaac4414045728d2b6 Mon Sep 17 00:00:00 2001
From: Mark Haines <mark.haines@matrix.org>
Date: Wed, 12 Oct 2016 14:45:13 +0100
Subject: [PATCH 2/3] Improve comment formatting

---
 synapse/config/tls.py                     | 2 +-
 synapse/rest/key/v2/local_key_resource.py | 9 ++++++---
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/synapse/config/tls.py b/synapse/config/tls.py
index 956b440f7..20d55d4d6 100644
--- a/synapse/config/tls.py
+++ b/synapse/config/tls.py
@@ -109,7 +109,7 @@ class TlsConfig(Config):
         # fingerprints of a new certificate and wait for the caches on other
         # servers to expire before deploying it.
         tls_fingerprints: []
-        #- {"sha256": "<base64_encoded_sha256_fingerprint>"}
+        # tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}]
         """ % locals()
 
     def read_tls_certificate(self, cert_path):
diff --git a/synapse/rest/key/v2/local_key_resource.py b/synapse/rest/key/v2/local_key_resource.py
index 1cf69f3ed..ff95269ba 100644
--- a/synapse/rest/key/v2/local_key_resource.py
+++ b/synapse/rest/key/v2/local_key_resource.py
@@ -46,9 +46,12 @@ class LocalKey(Resource):
                     "expired_ts": # integer posix timestamp when the key expired.
                     "key": # base64 encoded NACL verification key.
                 }
-            }
-            "tls_fingerprints": # Fingerprints of the TLS certs this server uses.
-                - {"sha256": "..."}
+            },
+            "tls_fingerprints": [ # Fingerprints of the TLS certs this server uses.
+                {
+                    "sha256": # base64 encoded sha256 fingerprint of the X509 cert
+                },
+            ],
             "signatures": {
                 "this.server.example.com": {
                    "algorithm:version": # NACL signature for this server

From c61ddeedaca3944b078f6008b57f3adf6e792cee Mon Sep 17 00:00:00 2001
From: Mark Haines <mark.haines@matrix.org>
Date: Wed, 12 Oct 2016 14:48:24 +0100
Subject: [PATCH 3/3] Explain how long the servers can cache the TLS
 fingerprints for

---
 synapse/config/tls.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/synapse/config/tls.py b/synapse/config/tls.py
index 20d55d4d6..3c58d2de1 100644
--- a/synapse/config/tls.py
+++ b/synapse/config/tls.py
@@ -105,9 +105,10 @@ class TlsConfig(Config):
         # synapse is using.
         #
         # Homeservers are permitted to cache the list of TLS fingerprints
-        # returned in the key responses. It may be necessary to publish the
-        # fingerprints of a new certificate and wait for the caches on other
-        # servers to expire before deploying it.
+        # returned in the key responses up to the "valid_until_ts" returned in
+        # key. It may be necessary to publish the fingerprints of a new
+        # certificate and wait until the "valid_until_ts" of the previous key
+        # responses have passed before deploying it.
         tls_fingerprints: []
         # tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}]
         """ % locals()