From 30c2325eaf85f28f438f9a3c7b703978eee66cf7 Mon Sep 17 00:00:00 2001 From: Neil Alexander Date: Fri, 7 Aug 2020 17:25:31 +0100 Subject: [PATCH] Allow enforcing X.509 certificate validity (MSC1711) (#1249) * Configurable X.509 certificate validation * Fix dendritejs * Update go.mod/go.sum for matrix-org/gomatrixserverlib#214 * Update sample config --- cmd/dendrite-demo-libp2p/main.go | 5 +++-- cmd/dendrite-demo-yggdrasil/yggconn/client.go | 5 +++-- cmd/dendrite-media-api-server/main.go | 2 +- cmd/dendrite-monolith-server/main.go | 2 +- cmd/dendritejs/main.go | 6 +++--- dendrite-config.yaml | 3 +++ federationapi/federationapi_test.go | 2 +- go.mod | 2 +- go.sum | 4 ++-- internal/config/config.go | 3 +++ internal/setup/base.go | 1 + serverkeyapi/serverkeyapi_test.go | 2 +- 12 files changed, 23 insertions(+), 14 deletions(-) diff --git a/cmd/dendrite-demo-libp2p/main.go b/cmd/dendrite-demo-libp2p/main.go index 7333e8b4..93d54f21 100644 --- a/cmd/dendrite-demo-libp2p/main.go +++ b/cmd/dendrite-demo-libp2p/main.go @@ -75,7 +75,8 @@ func createFederationClient( p2phttp.NewTransport(base.LibP2P, p2phttp.ProtocolOption("/matrix")), ) return gomatrixserverlib.NewFederationClientWithTransport( - base.Base.Cfg.Matrix.ServerName, base.Base.Cfg.Matrix.KeyID, base.Base.Cfg.Matrix.PrivateKey, tr, + base.Base.Cfg.Matrix.ServerName, base.Base.Cfg.Matrix.KeyID, + base.Base.Cfg.Matrix.PrivateKey, true, tr, ) } @@ -87,7 +88,7 @@ func createClient( "matrix", p2phttp.NewTransport(base.LibP2P, p2phttp.ProtocolOption("/matrix")), ) - return gomatrixserverlib.NewClientWithTransport(tr) + return gomatrixserverlib.NewClientWithTransport(true, tr) } func main() { diff --git a/cmd/dendrite-demo-yggdrasil/yggconn/client.go b/cmd/dendrite-demo-yggdrasil/yggconn/client.go index 56afe264..9cb6f975 100644 --- a/cmd/dendrite-demo-yggdrasil/yggconn/client.go +++ b/cmd/dendrite-demo-yggdrasil/yggconn/client.go @@ -33,7 +33,7 @@ func (n *Node) CreateClient( }, }, ) - return gomatrixserverlib.NewClientWithTransport(tr) + return gomatrixserverlib.NewClientWithTransport(true, tr) } func (n *Node) CreateFederationClient( @@ -54,6 +54,7 @@ func (n *Node) CreateFederationClient( }, ) return gomatrixserverlib.NewFederationClientWithTransport( - base.Cfg.Matrix.ServerName, base.Cfg.Matrix.KeyID, base.Cfg.Matrix.PrivateKey, tr, + base.Cfg.Matrix.ServerName, base.Cfg.Matrix.KeyID, + base.Cfg.Matrix.PrivateKey, true, tr, ) } diff --git a/cmd/dendrite-media-api-server/main.go b/cmd/dendrite-media-api-server/main.go index 1582a33a..2b9c5090 100644 --- a/cmd/dendrite-media-api-server/main.go +++ b/cmd/dendrite-media-api-server/main.go @@ -26,7 +26,7 @@ func main() { defer base.Close() // nolint: errcheck userAPI := base.UserAPIClient() - client := gomatrixserverlib.NewClient() + client := gomatrixserverlib.NewClient(cfg.Matrix.FederationDisableTLSValidation) mediaapi.AddPublicRoutes(base.PublicAPIMux, base.Cfg, userAPI, client) diff --git a/cmd/dendrite-monolith-server/main.go b/cmd/dendrite-monolith-server/main.go index c75ef8fb..ed30685b 100644 --- a/cmd/dendrite-monolith-server/main.go +++ b/cmd/dendrite-monolith-server/main.go @@ -126,7 +126,7 @@ func main() { Config: base.Cfg, AccountDB: accountDB, DeviceDB: deviceDB, - Client: gomatrixserverlib.NewClient(), + Client: gomatrixserverlib.NewClient(cfg.Matrix.FederationDisableTLSValidation), FedClient: federation, KeyRing: keyRing, KafkaConsumer: base.KafkaConsumer, diff --git a/cmd/dendritejs/main.go b/cmd/dendritejs/main.go index fd407e6e..274d170e 100644 --- a/cmd/dendritejs/main.go +++ b/cmd/dendritejs/main.go @@ -139,16 +139,16 @@ func createFederationClient(cfg *config.Dendrite, node *go_http_js_libp2p.P2pLoc tr := go_http_js_libp2p.NewP2pTransport(node) fed := gomatrixserverlib.NewFederationClient( - cfg.Matrix.ServerName, cfg.Matrix.KeyID, cfg.Matrix.PrivateKey, + cfg.Matrix.ServerName, cfg.Matrix.KeyID, cfg.Matrix.PrivateKey, true, ) - fed.Client = *gomatrixserverlib.NewClientWithTransport(tr) + fed.Client = *gomatrixserverlib.NewClientWithTransport(true, tr) return fed } func createClient(node *go_http_js_libp2p.P2pLocalNode) *gomatrixserverlib.Client { tr := go_http_js_libp2p.NewP2pTransport(node) - return gomatrixserverlib.NewClientWithTransport(tr) + return gomatrixserverlib.NewClientWithTransport(true, tr) } func createP2PNode(privKey ed25519.PrivateKey) (serverName string, node *go_http_js_libp2p.P2pLocalNode) { diff --git a/dendrite-config.yaml b/dendrite-config.yaml index 8a0ecdae..8f144875 100644 --- a/dendrite-config.yaml +++ b/dendrite-config.yaml @@ -27,6 +27,9 @@ matrix: # public_key: l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ # Disables new users from registering (except via shared secrets) registration_disabled: false + # Whether to disable TLS certificate validation. Warning: this reduces federation + # security and should not be enabled in production! + federation_disable_tls_validation: false # The media repository config media: diff --git a/federationapi/federationapi_test.go b/federationapi/federationapi_test.go index 8bc4277e..0e0d7740 100644 --- a/federationapi/federationapi_test.go +++ b/federationapi/federationapi_test.go @@ -43,7 +43,7 @@ func TestRoomsV3URLEscapeDoNot404(t *testing.T) { defer cancel() serverName := gomatrixserverlib.ServerName(strings.TrimPrefix(baseURL, "https://")) - fedCli := gomatrixserverlib.NewFederationClient(serverName, cfg.Matrix.KeyID, cfg.Matrix.PrivateKey) + fedCli := gomatrixserverlib.NewFederationClient(serverName, cfg.Matrix.KeyID, cfg.Matrix.PrivateKey, true) testCases := []struct { roomVer gomatrixserverlib.RoomVersion diff --git a/go.mod b/go.mod index c35ae4b5..2f301e04 100644 --- a/go.mod +++ b/go.mod @@ -21,7 +21,7 @@ require ( github.com/matrix-org/go-http-js-libp2p v0.0.0-20200518170932-783164aeeda4 github.com/matrix-org/go-sqlite3-js v0.0.0-20200522092705-bc8506ccbcf3 github.com/matrix-org/gomatrix v0.0.0-20190528120928-7df988a63f26 - github.com/matrix-org/gomatrixserverlib v0.0.0-20200807132727-7b8c09bcdfb2 + github.com/matrix-org/gomatrixserverlib v0.0.0-20200807145008-79c173b65786 github.com/matrix-org/naffka v0.0.0-20200422140631-181f1ee7401f github.com/matrix-org/util v0.0.0-20200807132607-55161520e1d4 github.com/mattn/go-sqlite3 v2.0.2+incompatible diff --git a/go.sum b/go.sum index fa8f5554..bc3bb195 100644 --- a/go.sum +++ b/go.sum @@ -421,8 +421,8 @@ github.com/matrix-org/go-sqlite3-js v0.0.0-20200522092705-bc8506ccbcf3 h1:Yb+Wlf github.com/matrix-org/go-sqlite3-js v0.0.0-20200522092705-bc8506ccbcf3/go.mod h1:e+cg2q7C7yE5QnAXgzo512tgFh1RbQLC0+jozuegKgo= github.com/matrix-org/gomatrix v0.0.0-20190528120928-7df988a63f26 h1:Hr3zjRsq2bhrnp3Ky1qgx/fzCtCALOoGYylh2tpS9K4= github.com/matrix-org/gomatrix v0.0.0-20190528120928-7df988a63f26/go.mod h1:3fxX6gUjWyI/2Bt7J1OLhpCzOfO/bB3AiX0cJtEKud0= -github.com/matrix-org/gomatrixserverlib v0.0.0-20200807132727-7b8c09bcdfb2 h1:3eJsj8uJcr/rrxuIAY+kkIYBJUOeJkzQ8Vb4juvddXU= -github.com/matrix-org/gomatrixserverlib v0.0.0-20200807132727-7b8c09bcdfb2/go.mod h1:JsAzE1Ll3+gDWS9JSUHPJiiyAksvOOnGWF2nXdg4ZzU= +github.com/matrix-org/gomatrixserverlib v0.0.0-20200807145008-79c173b65786 h1:HQclx5J2CrCBqP88t5Di9IkVDJZn5+h4ZL48viY4FJ4= +github.com/matrix-org/gomatrixserverlib v0.0.0-20200807145008-79c173b65786/go.mod h1:JsAzE1Ll3+gDWS9JSUHPJiiyAksvOOnGWF2nXdg4ZzU= github.com/matrix-org/naffka v0.0.0-20200422140631-181f1ee7401f h1:pRz4VTiRCO4zPlEMc3ESdUOcW4PXHH4Kj+YDz1XyE+Y= github.com/matrix-org/naffka v0.0.0-20200422140631-181f1ee7401f/go.mod h1:y0oDTjZDv5SM9a2rp3bl+CU+bvTRINQsdb7YlDql5Go= github.com/matrix-org/util v0.0.0-20190711121626-527ce5ddefc7 h1:ntrLa/8xVzeSs8vHFHK25k0C+NV74sYMJnNSg5NoSRo= diff --git a/internal/config/config.go b/internal/config/config.go index 657e804f..900d3b14 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -107,6 +107,9 @@ type Dendrite struct { // is 2**x seconds, so 1 = 2 seconds, 2 = 4 seconds, 3 = 8 seconds, etc. // The default value is 16 if not specified, which is circa 18 hours. FederationMaxRetries uint32 `yaml:"federation_max_retries"` + // FederationDisableTLSValidation disables the validation of X.509 TLS certs + // on remote federation endpoints. This is not recommended in production! + FederationDisableTLSValidation bool `yaml:"federation_disable_tls_validation"` } `yaml:"matrix"` // The configuration specific to the media repostitory. diff --git a/internal/setup/base.go b/internal/setup/base.go index 333c0173..4fef0cbc 100644 --- a/internal/setup/base.go +++ b/internal/setup/base.go @@ -252,6 +252,7 @@ func (b *BaseDendrite) CreateAccountsDB() accounts.Database { func (b *BaseDendrite) CreateFederationClient() *gomatrixserverlib.FederationClient { return gomatrixserverlib.NewFederationClient( b.Cfg.Matrix.ServerName, b.Cfg.Matrix.KeyID, b.Cfg.Matrix.PrivateKey, + b.Cfg.Matrix.FederationDisableTLSValidation, ) } diff --git a/serverkeyapi/serverkeyapi_test.go b/serverkeyapi/serverkeyapi_test.go index 3368f5b2..c53575bb 100644 --- a/serverkeyapi/serverkeyapi_test.go +++ b/serverkeyapi/serverkeyapi_test.go @@ -85,7 +85,7 @@ func TestMain(m *testing.M) { // Create the federation client. s.fedclient = gomatrixserverlib.NewFederationClientWithTransport( - s.config.Matrix.ServerName, serverKeyID, testPriv, transport, + s.config.Matrix.ServerName, serverKeyID, testPriv, true, transport, ) // Finally, build the server key APIs.