Merge pull request #5359 from matrix-org/rav/enable_tls_verification

Validate federation server TLS certificates by default.
This commit is contained in:
Richard van der Hoff 2019-06-06 10:50:42 +01:00 committed by GitHub
commit cb3b381fcb
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 19 additions and 12 deletions

1
changelog.d/5359.feature Normal file
View file

@ -0,0 +1 @@
Validate federation server TLS certificates by default (implements [MSC1711](https://github.com/matrix-org/matrix-doc/blob/master/proposals/1711-x509-for-federation.md)).

View file

@ -329,12 +329,12 @@ listeners:
# #
#tls_private_key_path: "CONFDIR/SERVERNAME.tls.key" #tls_private_key_path: "CONFDIR/SERVERNAME.tls.key"
# Whether to verify TLS certificates when sending federation traffic. # Whether to verify TLS server certificates for outbound federation requests.
# #
# This currently defaults to `false`, however this will change in # Defaults to `true`. To disable certificate verification, uncomment the
# Synapse 1.0 when valid federation certificates will be required. # following line.
# #
#federation_verify_certificates: true #federation_verify_certificates: false
# Skip federation certificate verification on the following whitelist # Skip federation certificate verification on the following whitelist
# of domains. # of domains.

View file

@ -74,7 +74,7 @@ class TlsConfig(Config):
# Whether to verify certificates on outbound federation traffic # Whether to verify certificates on outbound federation traffic
self.federation_verify_certificates = config.get( self.federation_verify_certificates = config.get(
"federation_verify_certificates", False, "federation_verify_certificates", True,
) )
# Whitelist of domains to not verify certificates for # Whitelist of domains to not verify certificates for
@ -241,12 +241,12 @@ class TlsConfig(Config):
# #
#tls_private_key_path: "%(tls_private_key_path)s" #tls_private_key_path: "%(tls_private_key_path)s"
# Whether to verify TLS certificates when sending federation traffic. # Whether to verify TLS server certificates for outbound federation requests.
# #
# This currently defaults to `false`, however this will change in # Defaults to `true`. To disable certificate verification, uncomment the
# Synapse 1.0 when valid federation certificates will be required. # following line.
# #
#federation_verify_certificates: true #federation_verify_certificates: false
# Skip federation certificate verification on the following whitelist # Skip federation certificate verification on the following whitelist
# of domains. # of domains.

View file

@ -27,6 +27,7 @@ from twisted.web.http import HTTPChannel
from twisted.web.http_headers import Headers from twisted.web.http_headers import Headers
from twisted.web.iweb import IPolicyForHTTPS from twisted.web.iweb import IPolicyForHTTPS
from synapse.config.homeserver import HomeServerConfig
from synapse.crypto.context_factory import ClientTLSOptionsFactory from synapse.crypto.context_factory import ClientTLSOptionsFactory
from synapse.http.federation.matrix_federation_agent import ( from synapse.http.federation.matrix_federation_agent import (
MatrixFederationAgent, MatrixFederationAgent,
@ -52,11 +53,16 @@ class MatrixFederationAgentTests(TestCase):
self.well_known_cache = TTLCache("test_cache", timer=self.reactor.seconds) self.well_known_cache = TTLCache("test_cache", timer=self.reactor.seconds)
# for now, we disable cert verification for the test, since the cert we
# present will not be trusted. We should do better here, though.
config_dict = default_config("test", parse=False)
config_dict["federation_verify_certificates"] = False
config = HomeServerConfig()
config.parse_config_dict(config_dict)
self.agent = MatrixFederationAgent( self.agent = MatrixFederationAgent(
reactor=self.reactor, reactor=self.reactor,
tls_client_options_factory=ClientTLSOptionsFactory( tls_client_options_factory=ClientTLSOptionsFactory(config),
default_config("test", parse=True)
),
_well_known_tls_policy=TrustingTLSPolicyForHTTPS(), _well_known_tls_policy=TrustingTLSPolicyForHTTPS(),
_srv_resolver=self.mock_resolver, _srv_resolver=self.mock_resolver,
_well_known_cache=self.well_known_cache, _well_known_cache=self.well_known_cache,