|
@@ -16,11 +16,8 @@ import logging
|
|
|
import os
|
|
|
import warnings
|
|
|
from datetime import datetime
|
|
|
-from hashlib import sha256
|
|
|
from typing import List, Optional, Pattern
|
|
|
|
|
|
-from unpaddedbase64 import encode_base64
|
|
|
-
|
|
|
from OpenSSL import SSL, crypto
|
|
|
from twisted.internet._sslverify import Certificate, trustRootFromCertificates
|
|
|
|
|
@@ -83,13 +80,6 @@ class TlsConfig(Config):
|
|
|
"configured."
|
|
|
)
|
|
|
|
|
|
- self._original_tls_fingerprints = config.get("tls_fingerprints", [])
|
|
|
-
|
|
|
- if self._original_tls_fingerprints is None:
|
|
|
- self._original_tls_fingerprints = []
|
|
|
-
|
|
|
- self.tls_fingerprints = list(self._original_tls_fingerprints)
|
|
|
-
|
|
|
# Whether to verify certificates on outbound federation traffic
|
|
|
self.federation_verify_certificates = config.get(
|
|
|
"federation_verify_certificates", True
|
|
@@ -248,19 +238,6 @@ class TlsConfig(Config):
|
|
|
e,
|
|
|
)
|
|
|
|
|
|
- self.tls_fingerprints = list(self._original_tls_fingerprints)
|
|
|
-
|
|
|
- if self.tls_certificate:
|
|
|
- # Check that our own certificate is included in the list of fingerprints
|
|
|
- # and include it if it is not.
|
|
|
- x509_certificate_bytes = crypto.dump_certificate(
|
|
|
- crypto.FILETYPE_ASN1, self.tls_certificate
|
|
|
- )
|
|
|
- sha256_fingerprint = encode_base64(sha256(x509_certificate_bytes).digest())
|
|
|
- sha256_fingerprints = {f["sha256"] for f in self.tls_fingerprints}
|
|
|
- if sha256_fingerprint not in sha256_fingerprints:
|
|
|
- self.tls_fingerprints.append({"sha256": sha256_fingerprint})
|
|
|
-
|
|
|
def generate_config_section(
|
|
|
self,
|
|
|
config_dir_path,
|
|
@@ -443,33 +420,6 @@ class TlsConfig(Config):
|
|
|
# If unspecified, we will use CONFDIR/client.key.
|
|
|
#
|
|
|
account_key_file: %(default_acme_account_file)s
|
|
|
-
|
|
|
- # List of allowed TLS fingerprints for this server to publish along
|
|
|
- # with the signing keys for this server. Other matrix servers that
|
|
|
- # make HTTPS requests to this server will check that the TLS
|
|
|
- # certificates returned by this server match one of the fingerprints.
|
|
|
- #
|
|
|
- # Synapse automatically adds the fingerprint of its own certificate
|
|
|
- # to the list. So if federation traffic is handled directly by synapse
|
|
|
- # then no modification to the list is required.
|
|
|
- #
|
|
|
- # If synapse is run behind a load balancer that handles the TLS then it
|
|
|
- # will be necessary to add the fingerprints of the certificates used by
|
|
|
- # the loadbalancers to this list if they are different to the one
|
|
|
- # synapse is using.
|
|
|
- #
|
|
|
- # Homeservers are permitted to cache the list of TLS fingerprints
|
|
|
- # returned in the key responses up to the "valid_until_ts" returned in
|
|
|
- # key. It may be necessary to publish the fingerprints of a new
|
|
|
- # certificate and wait until the "valid_until_ts" of the previous key
|
|
|
- # responses have passed before deploying it.
|
|
|
- #
|
|
|
- # You can calculate a fingerprint from a given TLS listener via:
|
|
|
- # openssl s_client -connect $host:$port < /dev/null 2> /dev/null |
|
|
|
- # openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '='
|
|
|
- # or by checking matrix.org/federationtester/api/report?server_name=$host
|
|
|
- #
|
|
|
- #tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}]
|
|
|
"""
|
|
|
# Lowercase the string representation of boolean values
|
|
|
% {
|