Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Remove tls_fingerprints option #9280

Merged
merged 7 commits into from
May 24, 2021
Merged
Show file tree
Hide file tree
Changes from 6 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/9280.removal
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Removed support for the deprecated `tls_fingerprints` configuration setting. Contributed by Jerin J Titus.
27 changes: 0 additions & 27 deletions docs/sample_config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -673,33 +673,6 @@ acme:
#
account_key_file: DATADIR/acme_account.key

# List of allowed TLS fingerprints for this server to publish along
# with the signing keys for this server. Other matrix servers that
# make HTTPS requests to this server will check that the TLS
# certificates returned by this server match one of the fingerprints.
#
# Synapse automatically adds the fingerprint of its own certificate
# to the list. So if federation traffic is handled directly by synapse
# then no modification to the list is required.
#
# If synapse is run behind a load balancer that handles the TLS then it
# will be necessary to add the fingerprints of the certificates used by
# the loadbalancers to this list if they are different to the one
# synapse is using.
#
# Homeservers are permitted to cache the list of TLS fingerprints
# returned in the key responses up to the "valid_until_ts" returned in
# key. It may be necessary to publish the fingerprints of a new
# certificate and wait until the "valid_until_ts" of the previous key
# responses have passed before deploying it.
#
# You can calculate a fingerprint from a given TLS listener via:
# openssl s_client -connect $host:$port < /dev/null 2> /dev/null |
# openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '='
# or by checking matrix.org/federationtester/api/report?server_name=$host
#
#tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}]


## Federation ##

Expand Down
7 changes: 0 additions & 7 deletions scripts-dev/convert_server_keys.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
import hashlib
import json
import sys
import time
Expand Down Expand Up @@ -54,15 +53,9 @@ def convert_v1_to_v2(server_name, valid_until, keys, certificate):
"server_name": server_name,
"verify_keys": {key_id: {"key": key} for key_id, key in keys.items()},
"valid_until_ts": valid_until,
"tls_fingerprints": [fingerprint(certificate)],
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this is necessary, but on the other hand, I don't think this script is useful any more.

}


def fingerprint(certificate):
finger = hashlib.sha256(certificate)
return {"sha256": encode_base64(finger.digest())}


def rows_v2(server, json):
valid_until = json["valid_until_ts"]
key_json = encode_canonical_json(json)
Expand Down
50 changes: 0 additions & 50 deletions synapse/config/tls.py
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,8 @@
import os
import warnings
from datetime import datetime
from hashlib import sha256
from typing import List, Optional

from unpaddedbase64 import encode_base64

from OpenSSL import SSL, crypto
from twisted.internet._sslverify import Certificate, trustRootFromCertificates

Expand Down Expand Up @@ -83,13 +80,6 @@ def read_config(self, config: dict, config_dir_path: str, **kwargs):
"configured."
)

self._original_tls_fingerprints = config.get("tls_fingerprints", [])

if self._original_tls_fingerprints is None:
self._original_tls_fingerprints = []

self.tls_fingerprints = list(self._original_tls_fingerprints)

# Whether to verify certificates on outbound federation traffic
self.federation_verify_certificates = config.get(
"federation_verify_certificates", True
Expand Down Expand Up @@ -248,19 +238,6 @@ def read_certificate_from_disk(self, require_cert_and_key: bool):
e,
)

self.tls_fingerprints = list(self._original_tls_fingerprints)

if self.tls_certificate:
# Check that our own certificate is included in the list of fingerprints
# and include it if it is not.
x509_certificate_bytes = crypto.dump_certificate(
crypto.FILETYPE_ASN1, self.tls_certificate
)
sha256_fingerprint = encode_base64(sha256(x509_certificate_bytes).digest())
sha256_fingerprints = {f["sha256"] for f in self.tls_fingerprints}
if sha256_fingerprint not in sha256_fingerprints:
self.tls_fingerprints.append({"sha256": sha256_fingerprint})

def generate_config_section(
self,
config_dir_path,
Expand Down Expand Up @@ -443,33 +420,6 @@ def generate_config_section(
# If unspecified, we will use CONFDIR/client.key.
#
account_key_file: %(default_acme_account_file)s

# List of allowed TLS fingerprints for this server to publish along
# with the signing keys for this server. Other matrix servers that
# make HTTPS requests to this server will check that the TLS
# certificates returned by this server match one of the fingerprints.
#
# Synapse automatically adds the fingerprint of its own certificate
# to the list. So if federation traffic is handled directly by synapse
# then no modification to the list is required.
#
# If synapse is run behind a load balancer that handles the TLS then it
# will be necessary to add the fingerprints of the certificates used by
# the loadbalancers to this list if they are different to the one
# synapse is using.
#
# Homeservers are permitted to cache the list of TLS fingerprints
# returned in the key responses up to the "valid_until_ts" returned in
# key. It may be necessary to publish the fingerprints of a new
# certificate and wait until the "valid_until_ts" of the previous key
# responses have passed before deploying it.
#
# You can calculate a fingerprint from a given TLS listener via:
# openssl s_client -connect $host:$port < /dev/null 2> /dev/null |
# openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '='
# or by checking matrix.org/federationtester/api/report?server_name=$host
#
#tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}]
"""
# Lowercase the string representation of boolean values
% {
Expand Down
8 changes: 0 additions & 8 deletions synapse/rest/key/v2/local_key_resource.py
Original file line number Diff line number Diff line change
Expand Up @@ -48,11 +48,6 @@ class LocalKey(Resource):
"key": # base64 encoded NACL verification key.
}
},
"tls_fingerprints": [ # Fingerprints of the TLS certs this server uses.
{
"sha256": # base64 encoded sha256 fingerprint of the X509 cert
},
],
"signatures": {
"this.server.example.com": {
"algorithm:version": # NACL signature for this server
Expand Down Expand Up @@ -89,14 +84,11 @@ def response_json_object(self):
"expired_ts": key.expired_ts,
}

tls_fingerprints = self.config.tls_fingerprints

json_object = {
"valid_until_ts": self.valid_until_ts,
"server_name": self.config.server_name,
"verify_keys": verify_keys,
"old_verify_keys": old_verify_keys,
"tls_fingerprints": tls_fingerprints,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for reference: this has been unspecced since at least the first version of the server-server API: https://matrix.org/docs/spec/server_server/r0.1.0#get-matrix-key-v2-server-keyid.

}
for key in self.config.signing_key:
json_object = sign_json(json_object, self.config.server_name, key)
Expand Down
3 changes: 0 additions & 3 deletions synapse/rest/key/v2/remote_key_resource.py
Original file line number Diff line number Diff line change
Expand Up @@ -73,9 +73,6 @@ class RemoteKey(DirectServeJsonResource):
"expired_ts": 0, # when the key stop being used.
}
}
"tls_fingerprints": [
{ "sha256": # fingerprint }
]
"signatures": {
"remote.server.example.com": {...}
"this.server.example.com": {...}
Expand Down