Allow enforcing X.509 certificate validity (MSC1711) (#1249)

* Configurable X.509 certificate validation * Fix dendritejs * Update go.mod/go.sum for matrix-org/gomatrixserverlib#214 * Update sample config
2025-07-29 12:42:46 +00:00 · 2020-08-07 17:25:31 +01:00 · 2020-08-07 17:25:31 +01:00 · 30c2325eaf
commit 30c2325eaf
parent 5dd5a41119
12 changed files with 23 additions and 14 deletions
--- a/internal/config/config.go
+++ b/internal/config/config.go
@ -107,6 +107,9 @@ type Dendrite struct {
 		// is 2**x seconds, so 1 = 2 seconds, 2 = 4 seconds, 3 = 8 seconds, etc.
 		// The default value is 16 if not specified, which is circa 18 hours.
 		FederationMaxRetries uint32 `yaml:"federation_max_retries"`
+		// FederationDisableTLSValidation disables the validation of X.509 TLS certs
+		// on remote federation endpoints. This is not recommended in production!
+		FederationDisableTLSValidation bool `yaml:"federation_disable_tls_validation"`
 	} `yaml:"matrix"`

 	// The configuration specific to the media repostitory.
--- a/internal/setup/base.go
+++ b/internal/setup/base.go
@ -252,6 +252,7 @@ func (b *BaseDendrite) CreateAccountsDB() accounts.Database {
 func (b *BaseDendrite) CreateFederationClient() *gomatrixserverlib.FederationClient {
 	return gomatrixserverlib.NewFederationClient(
 		b.Cfg.Matrix.ServerName, b.Cfg.Matrix.KeyID, b.Cfg.Matrix.PrivateKey,
+		b.Cfg.Matrix.FederationDisableTLSValidation,
 	)
 }