Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve startup checks for insecure notary configs #5392

Merged
merged 2 commits into from Jun 10, 2019

Conversation

Projects
None yet
3 participants
@richvdh
Copy link
Member

commented Jun 7, 2019

It's not really a problem to trust notary responses signed by the old key so
long as we are also doing TLS validation.

This commit adds a check to the config parsing code at startup to check that
we do not have the insecure matrix.org key without tls validation, and refuses
to start without it.

This allows us to remove the rather alarming-looking warning which happens at
runtime.

richvdh added some commits Jun 7, 2019

Improve startup checks for insecure notary configs
It's not really a problem to trust notary responses signed by the old key so
long as we are also doing TLS validation.

This commit adds a check to the config parsing code at startup to check that
we do not have the insecure matrix.org key without tls validation, and refuses
to start without it.

This allows us to remove the rather alarming-looking warning which happens at
runtime.

@richvdh richvdh requested a review from matrix-org/synapse-core Jun 7, 2019

@richvdh richvdh added the Synapse v1.0 label Jun 7, 2019

@@ -41,6 +41,15 @@
you are *sure* you want to do this, set 'accept_keys_insecurely' on the
keyserver configuration."""

RELYING_ON_MATRIX_KEY_ERROR = """\

This comment has been minimized.

Copy link
@anoadragon453

anoadragon453 Jun 7, 2019

Member
Suggested change
RELYING_ON_MATRIX_KEY_ERROR = """\
RELYING_ON_MATRIX_KEY_ERROR = """

This comment has been minimized.

Copy link
@richvdh

richvdh Jun 7, 2019

Author Member

nope, this is deliberate. I don't want the leading newline.

@richvdh richvdh requested a review from matrix-org/synapse-core Jun 10, 2019

@richvdh richvdh merged commit 88d7182 into release-v1.0.0 Jun 10, 2019

22 checks passed

buildkite/synapse Build #1991 passed (17 minutes, 55 seconds)
Details
buildkite/synapse/check-sample-config Passed (1 minute, 18 seconds)
Details
buildkite/synapse/isort Passed (27 seconds)
Details
buildkite/synapse/newspaper-newsfile Passed (13 seconds)
Details
buildkite/synapse/packaging Passed (22 seconds)
Details
buildkite/synapse/pep-8 Passed (1 minute)
Details
buildkite/synapse/pipeline Passed (3 seconds)
Details
buildkite/synapse/python-2-dot-7-slash-postgres-9-dot-4 Passed (15 minutes, 18 seconds)
Details
buildkite/synapse/python-2-dot-7-slash-postgres-9-dot-5 Passed (15 minutes, 9 seconds)
Details
buildkite/synapse/python-2-dot-7-slash-sqlite Passed (5 minutes, 2 seconds)
Details
buildkite/synapse/python-2-dot-7-slash-sqlite-slash-old-deps Passed (6 minutes, 7 seconds)
Details
buildkite/synapse/python-3-dot-5-slash-postgres-9-dot-4 Passed (15 minutes, 44 seconds)
Details
buildkite/synapse/python-3-dot-5-slash-postgres-9-dot-5 Passed (15 minutes, 47 seconds)
Details
buildkite/synapse/python-3-dot-5-slash-sqlite Passed (5 minutes, 28 seconds)
Details
buildkite/synapse/python-3-dot-6-slash-sqlite Passed (5 minutes, 22 seconds)
Details
buildkite/synapse/python-3-dot-7-slash-postgres-11 Passed (16 minutes, 27 seconds)
Details
buildkite/synapse/python-3-dot-7-slash-postgres-9-dot-5 Passed (16 minutes, 23 seconds)
Details
buildkite/synapse/python-3-dot-7-slash-sqlite Passed (5 minutes, 22 seconds)
Details
ci/circleci: sytestpy2merged Your tests passed on CircleCI!
Details
ci/circleci: sytestpy2postgresmerged Your tests passed on CircleCI!
Details
ci/circleci: sytestpy3merged Your tests passed on CircleCI!
Details
ci/circleci: sytestpy3postgresmerged Your tests passed on CircleCI!
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.