Remove tls_fingerprints option (#9280)
Signed-off-by: Jerin J Titus <72017981+jerinjtitus@users.noreply.github.com>
This commit is contained in:
parent
82eacb0e07
commit
057ce7b754
|
@ -0,0 +1 @@
|
||||||
|
Removed support for the deprecated `tls_fingerprints` configuration setting. Contributed by Jerin J Titus.
|
|
@ -683,33 +683,6 @@ acme:
|
||||||
#
|
#
|
||||||
account_key_file: DATADIR/acme_account.key
|
account_key_file: DATADIR/acme_account.key
|
||||||
|
|
||||||
# List of allowed TLS fingerprints for this server to publish along
|
|
||||||
# with the signing keys for this server. Other matrix servers that
|
|
||||||
# make HTTPS requests to this server will check that the TLS
|
|
||||||
# certificates returned by this server match one of the fingerprints.
|
|
||||||
#
|
|
||||||
# Synapse automatically adds the fingerprint of its own certificate
|
|
||||||
# to the list. So if federation traffic is handled directly by synapse
|
|
||||||
# then no modification to the list is required.
|
|
||||||
#
|
|
||||||
# If synapse is run behind a load balancer that handles the TLS then it
|
|
||||||
# will be necessary to add the fingerprints of the certificates used by
|
|
||||||
# the loadbalancers to this list if they are different to the one
|
|
||||||
# synapse is using.
|
|
||||||
#
|
|
||||||
# Homeservers are permitted to cache the list of TLS fingerprints
|
|
||||||
# returned in the key responses up to the "valid_until_ts" returned in
|
|
||||||
# key. It may be necessary to publish the fingerprints of a new
|
|
||||||
# certificate and wait until the "valid_until_ts" of the previous key
|
|
||||||
# responses have passed before deploying it.
|
|
||||||
#
|
|
||||||
# You can calculate a fingerprint from a given TLS listener via:
|
|
||||||
# openssl s_client -connect $host:$port < /dev/null 2> /dev/null |
|
|
||||||
# openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '='
|
|
||||||
# or by checking matrix.org/federationtester/api/report?server_name=$host
|
|
||||||
#
|
|
||||||
#tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}]
|
|
||||||
|
|
||||||
|
|
||||||
## Federation ##
|
## Federation ##
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,3 @@
|
||||||
import hashlib
|
|
||||||
import json
|
import json
|
||||||
import sys
|
import sys
|
||||||
import time
|
import time
|
||||||
|
@ -54,15 +53,9 @@ def convert_v1_to_v2(server_name, valid_until, keys, certificate):
|
||||||
"server_name": server_name,
|
"server_name": server_name,
|
||||||
"verify_keys": {key_id: {"key": key} for key_id, key in keys.items()},
|
"verify_keys": {key_id: {"key": key} for key_id, key in keys.items()},
|
||||||
"valid_until_ts": valid_until,
|
"valid_until_ts": valid_until,
|
||||||
"tls_fingerprints": [fingerprint(certificate)],
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
def fingerprint(certificate):
|
|
||||||
finger = hashlib.sha256(certificate)
|
|
||||||
return {"sha256": encode_base64(finger.digest())}
|
|
||||||
|
|
||||||
|
|
||||||
def rows_v2(server, json):
|
def rows_v2(server, json):
|
||||||
valid_until = json["valid_until_ts"]
|
valid_until = json["valid_until_ts"]
|
||||||
key_json = encode_canonical_json(json)
|
key_json = encode_canonical_json(json)
|
||||||
|
|
|
@ -16,11 +16,8 @@ import logging
|
||||||
import os
|
import os
|
||||||
import warnings
|
import warnings
|
||||||
from datetime import datetime
|
from datetime import datetime
|
||||||
from hashlib import sha256
|
|
||||||
from typing import List, Optional, Pattern
|
from typing import List, Optional, Pattern
|
||||||
|
|
||||||
from unpaddedbase64 import encode_base64
|
|
||||||
|
|
||||||
from OpenSSL import SSL, crypto
|
from OpenSSL import SSL, crypto
|
||||||
from twisted.internet._sslverify import Certificate, trustRootFromCertificates
|
from twisted.internet._sslverify import Certificate, trustRootFromCertificates
|
||||||
|
|
||||||
|
@ -83,13 +80,6 @@ class TlsConfig(Config):
|
||||||
"configured."
|
"configured."
|
||||||
)
|
)
|
||||||
|
|
||||||
self._original_tls_fingerprints = config.get("tls_fingerprints", [])
|
|
||||||
|
|
||||||
if self._original_tls_fingerprints is None:
|
|
||||||
self._original_tls_fingerprints = []
|
|
||||||
|
|
||||||
self.tls_fingerprints = list(self._original_tls_fingerprints)
|
|
||||||
|
|
||||||
# Whether to verify certificates on outbound federation traffic
|
# Whether to verify certificates on outbound federation traffic
|
||||||
self.federation_verify_certificates = config.get(
|
self.federation_verify_certificates = config.get(
|
||||||
"federation_verify_certificates", True
|
"federation_verify_certificates", True
|
||||||
|
@ -248,19 +238,6 @@ class TlsConfig(Config):
|
||||||
e,
|
e,
|
||||||
)
|
)
|
||||||
|
|
||||||
self.tls_fingerprints = list(self._original_tls_fingerprints)
|
|
||||||
|
|
||||||
if self.tls_certificate:
|
|
||||||
# Check that our own certificate is included in the list of fingerprints
|
|
||||||
# and include it if it is not.
|
|
||||||
x509_certificate_bytes = crypto.dump_certificate(
|
|
||||||
crypto.FILETYPE_ASN1, self.tls_certificate
|
|
||||||
)
|
|
||||||
sha256_fingerprint = encode_base64(sha256(x509_certificate_bytes).digest())
|
|
||||||
sha256_fingerprints = {f["sha256"] for f in self.tls_fingerprints}
|
|
||||||
if sha256_fingerprint not in sha256_fingerprints:
|
|
||||||
self.tls_fingerprints.append({"sha256": sha256_fingerprint})
|
|
||||||
|
|
||||||
def generate_config_section(
|
def generate_config_section(
|
||||||
self,
|
self,
|
||||||
config_dir_path,
|
config_dir_path,
|
||||||
|
@ -443,33 +420,6 @@ class TlsConfig(Config):
|
||||||
# If unspecified, we will use CONFDIR/client.key.
|
# If unspecified, we will use CONFDIR/client.key.
|
||||||
#
|
#
|
||||||
account_key_file: %(default_acme_account_file)s
|
account_key_file: %(default_acme_account_file)s
|
||||||
|
|
||||||
# List of allowed TLS fingerprints for this server to publish along
|
|
||||||
# with the signing keys for this server. Other matrix servers that
|
|
||||||
# make HTTPS requests to this server will check that the TLS
|
|
||||||
# certificates returned by this server match one of the fingerprints.
|
|
||||||
#
|
|
||||||
# Synapse automatically adds the fingerprint of its own certificate
|
|
||||||
# to the list. So if federation traffic is handled directly by synapse
|
|
||||||
# then no modification to the list is required.
|
|
||||||
#
|
|
||||||
# If synapse is run behind a load balancer that handles the TLS then it
|
|
||||||
# will be necessary to add the fingerprints of the certificates used by
|
|
||||||
# the loadbalancers to this list if they are different to the one
|
|
||||||
# synapse is using.
|
|
||||||
#
|
|
||||||
# Homeservers are permitted to cache the list of TLS fingerprints
|
|
||||||
# returned in the key responses up to the "valid_until_ts" returned in
|
|
||||||
# key. It may be necessary to publish the fingerprints of a new
|
|
||||||
# certificate and wait until the "valid_until_ts" of the previous key
|
|
||||||
# responses have passed before deploying it.
|
|
||||||
#
|
|
||||||
# You can calculate a fingerprint from a given TLS listener via:
|
|
||||||
# openssl s_client -connect $host:$port < /dev/null 2> /dev/null |
|
|
||||||
# openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '='
|
|
||||||
# or by checking matrix.org/federationtester/api/report?server_name=$host
|
|
||||||
#
|
|
||||||
#tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}]
|
|
||||||
"""
|
"""
|
||||||
# Lowercase the string representation of boolean values
|
# Lowercase the string representation of boolean values
|
||||||
% {
|
% {
|
||||||
|
|
|
@ -48,11 +48,6 @@ class LocalKey(Resource):
|
||||||
"key": # base64 encoded NACL verification key.
|
"key": # base64 encoded NACL verification key.
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"tls_fingerprints": [ # Fingerprints of the TLS certs this server uses.
|
|
||||||
{
|
|
||||||
"sha256": # base64 encoded sha256 fingerprint of the X509 cert
|
|
||||||
},
|
|
||||||
],
|
|
||||||
"signatures": {
|
"signatures": {
|
||||||
"this.server.example.com": {
|
"this.server.example.com": {
|
||||||
"algorithm:version": # NACL signature for this server
|
"algorithm:version": # NACL signature for this server
|
||||||
|
@ -89,14 +84,11 @@ class LocalKey(Resource):
|
||||||
"expired_ts": key.expired_ts,
|
"expired_ts": key.expired_ts,
|
||||||
}
|
}
|
||||||
|
|
||||||
tls_fingerprints = self.config.tls_fingerprints
|
|
||||||
|
|
||||||
json_object = {
|
json_object = {
|
||||||
"valid_until_ts": self.valid_until_ts,
|
"valid_until_ts": self.valid_until_ts,
|
||||||
"server_name": self.config.server_name,
|
"server_name": self.config.server_name,
|
||||||
"verify_keys": verify_keys,
|
"verify_keys": verify_keys,
|
||||||
"old_verify_keys": old_verify_keys,
|
"old_verify_keys": old_verify_keys,
|
||||||
"tls_fingerprints": tls_fingerprints,
|
|
||||||
}
|
}
|
||||||
for key in self.config.signing_key:
|
for key in self.config.signing_key:
|
||||||
json_object = sign_json(json_object, self.config.server_name, key)
|
json_object = sign_json(json_object, self.config.server_name, key)
|
||||||
|
|
|
@ -73,9 +73,6 @@ class RemoteKey(DirectServeJsonResource):
|
||||||
"expired_ts": 0, # when the key stop being used.
|
"expired_ts": 0, # when the key stop being used.
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
"tls_fingerprints": [
|
|
||||||
{ "sha256": # fingerprint }
|
|
||||||
]
|
|
||||||
"signatures": {
|
"signatures": {
|
||||||
"remote.server.example.com": {...}
|
"remote.server.example.com": {...}
|
||||||
"this.server.example.com": {...}
|
"this.server.example.com": {...}
|
||||||
|
|
Loading…
Reference in New Issue