fix domain whitelist

This commit is contained in:
Andrew Morgan 2019-04-03 11:57:09 +01:00
parent 999f7db6b0
commit 507cdf2b6f
4 changed files with 11 additions and 15 deletions

View file

@ -259,24 +259,17 @@ listeners:
# Whether to verify TLS certificates when sending federation traffic. # Whether to verify TLS certificates when sending federation traffic.
# #
# This currently defaults to `false`, however this will change in
# Synapse 1.0 when valid federation certificates will be required.
#
#federation_verify_certificates: true #federation_verify_certificates: true
# Skip federation certificate validation on the following whitelist of # Prevent federation certificate validation on the following whitelist
# domains. # of domains. Only effective if federation_verify_certicates is true.
#
# Note that this should only be used within the context of private
# federation as it will otherwise break things.
#
# Only effective if federation_verify_certicates is `true`.
# #
#federation_certificate_validation_whitelist: #federation_certificate_validation_whitelist:
# - lon.example.com # - lon.example.com
# - nyc.example.com # - nyc.example.com
# - syd.example.com # - syd.example.com
# List of custom certificate authorities for federation traffic. # List of custom certificate authorities for federation traffic.
# #
# Note that this list will replace those that are provided by your # Note that this list will replace those that are provided by your

View file

@ -111,10 +111,14 @@ class ServerConfig(Config):
self.admin_contact = config.get("admin_contact", None) self.admin_contact = config.get("admin_contact", None)
# FIXME: federation_domain_whitelist needs sytests # FIXME: federation_domain_whitelist needs sytests
self.federation_domain_whitelist = {}
federation_domain_whitelist = config.get( federation_domain_whitelist = config.get(
"federation_domain_whitelist", [], "federation_domain_whitelist", [],
) )
self.federation_domain_whitelist = None
if len(federation_domain_whitelist) > 0:
self.federation_domain_whitelist = {}
# turn the whitelist into a hash for speed of lookup # turn the whitelist into a hash for speed of lookup
for domain in federation_domain_whitelist: for domain in federation_domain_whitelist:
self.federation_domain_whitelist[domain] = True self.federation_domain_whitelist[domain] = True

View file

@ -242,15 +242,15 @@ class TlsConfig(Config):
# #
#federation_verify_certificates: true #federation_verify_certificates: true
# Skip federation certificate validation on the following whitelist of # Skip federation certificate verification on the following whitelist
# domains. # of domains.
# #
# Note that this should only be used within the context of private # Note that this should only be used within the context of private
# federation as it will otherwise break things. # federation as it will otherwise break things.
# #
# Only effective if federation_verify_certicates is `true`. # Only effective if federation_verify_certicates is `true`.
# #
#federation_certificate_validation_whitelist: #federation_certificate_verification_whitelist:
# - lon.example.com # - lon.example.com
# - nyc.example.com # - nyc.example.com
# - syd.example.com # - syd.example.com

View file

@ -131,7 +131,6 @@ class ClientTLSOptionsFactory(object):
def __init__(self, config): def __init__(self, config):
self._config = config self._config = config
self._options_noverify = CertificateOptions() self._options_noverify = CertificateOptions()
# Check if we're using a custom list of a CA certificates # Check if we're using a custom list of a CA certificates