Config option for verifying federation certificates

2024-12-20 19:10:45 +03:00 · 2019-03-28 18:06:31 +00:00 · 2019-03-28 18:06:31 +00:00 · dbb3319e5c
commit dbb3319e5c
parent 7a91b9d81c
3 changed files with 30 additions and 2 deletions
--- a/synapse/config/server.py
+++ b/synapse/config/server.py
@ -110,6 +110,22 @@ class ServerConfig(Config):
        # due to resource constraints
        self.admin_contact = config.get("admin_contact", None)

+        self.federation_verify_certificates = config.get(
+            "federation_verify_certificates", False,
+        )
+
+        # Whitelist of domains to not verify certificates for
+        self.federation_certificate_verification_whitelist = None
+        federation_certificate_verification_whitelist = config.get(
+            "federation_certificate_verification_whitelist", None
+        )
+
+        # Store whitelisted domains in a hash for fast lookup
+        if federation_certificate_verification_whitelist is not None:
+            self.federation_certificate_verification_whitelist = {}
+            for domain in federation_certificate_verification_whitelist:
+                self.federation_certificate_verification_whitelist[domain] = True
+
        # FIXME: federation_domain_whitelist needs sytests
        self.federation_domain_whitelist = None
        federation_domain_whitelist = config.get(
@ -339,6 +355,18 @@ class ServerConfig(Config):
        #
        #enable_search: false

+        # Whether to verify TLS certificates when sending federation traffic.
+        #
+        #federation_verify_certificates: true
+
+        # Prevent federation certificate validation on the following whitelist
+        # of domains. Only effective if federation_verify_certicates is true.
+        #
+        #federation_certificate_validation_whitelist:
+        #  - lon.example.com
+        #  - nyc.example.com
+        #  - syd.example.com
+
        # Restrict federation to the following whitelist of domains.
        # N.B. we recommend also firewalling your federation listener to limit
        # inbound federation traffic as early as possible, rather than relying
--- a/synapse/crypto/context_factory.py
+++ b/synapse/crypto/context_factory.py
@ -127,8 +127,7 @@ class ClientTLSOptionsFactory(object):
    to remote servers for federation."""

    def __init__(self, config):
-        # We don't use config options yet
-        self._options = CertificateOptions(verify=False)
+        self._options = CertificateOptions(verify=config.federation_verify_certificates)

    def get_options(self, host):
        # Use _makeContext so that we get a fresh OpenSSL CTX each time.
--- a/synapse/http/federation/matrix_federation_agent.py
+++ b/synapse/http/federation/matrix_federation_agent.py
@ -148,6 +148,7 @@ class MatrixFederationAgent(object):
        if self._tls_client_options_factory is None:
            tls_options = None
        else:
+            # TODO: Check the server we're sending to here and change verify value if necessary
            tls_options = self._tls_client_options_factory.get_options(
                res.tls_server_name.decode("ascii")
            )