From 507cdf2b6f00317e88a76809511239766b5656b9 Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Wed, 3 Apr 2019 11:57:09 +0100 Subject: [PATCH] fix domain whitelist --- docs/sample_config.yaml | 13 +++---------- synapse/config/server.py | 6 +++++- synapse/config/tls.py | 6 +++--- synapse/crypto/context_factory.py | 1 - 4 files changed, 11 insertions(+), 15 deletions(-) diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml index 88ed8f6f0c..4ffe016202 100644 --- a/docs/sample_config.yaml +++ b/docs/sample_config.yaml @@ -259,24 +259,17 @@ listeners: # Whether to verify TLS certificates when sending federation traffic. # -# This currently defaults to `false`, however this will change in -# Synapse 1.0 when valid federation certificates will be required. -# #federation_verify_certificates: true -# Skip federation certificate validation on the following whitelist of -# domains. -# -# Note that this should only be used within the context of private -# federation as it will otherwise break things. -# -# Only effective if federation_verify_certicates is `true`. +# Prevent federation certificate validation on the following whitelist +# of domains. Only effective if federation_verify_certicates is true. # #federation_certificate_validation_whitelist: # - lon.example.com # - nyc.example.com # - syd.example.com + # List of custom certificate authorities for federation traffic. # # Note that this list will replace those that are provided by your diff --git a/synapse/config/server.py b/synapse/config/server.py index aa2bb0d040..f55a71d508 100644 --- a/synapse/config/server.py +++ b/synapse/config/server.py @@ -111,10 +111,14 @@ class ServerConfig(Config): self.admin_contact = config.get("admin_contact", None) # FIXME: federation_domain_whitelist needs sytests - self.federation_domain_whitelist = {} federation_domain_whitelist = config.get( "federation_domain_whitelist", [], ) + + self.federation_domain_whitelist = None + if len(federation_domain_whitelist) > 0: + self.federation_domain_whitelist = {} + # turn the whitelist into a hash for speed of lookup for domain in federation_domain_whitelist: self.federation_domain_whitelist[domain] = True diff --git a/synapse/config/tls.py b/synapse/config/tls.py index 7dbf41887b..d157e310e4 100644 --- a/synapse/config/tls.py +++ b/synapse/config/tls.py @@ -242,15 +242,15 @@ class TlsConfig(Config): # #federation_verify_certificates: true - # Skip federation certificate validation on the following whitelist of - # domains. + # Skip federation certificate verification on the following whitelist + # of domains. # # Note that this should only be used within the context of private # federation as it will otherwise break things. # # Only effective if federation_verify_certicates is `true`. # - #federation_certificate_validation_whitelist: + #federation_certificate_verification_whitelist: # - lon.example.com # - nyc.example.com # - syd.example.com diff --git a/synapse/crypto/context_factory.py b/synapse/crypto/context_factory.py index e2b5ce173b..1ee87cdd13 100644 --- a/synapse/crypto/context_factory.py +++ b/synapse/crypto/context_factory.py @@ -131,7 +131,6 @@ class ClientTLSOptionsFactory(object): def __init__(self, config): self._config = config - self._options_noverify = CertificateOptions() # Check if we're using a custom list of a CA certificates