diff --git a/src/github.com/matrix-org/dendrite/cmd/dendrite-federation-api-server/main.go b/src/github.com/matrix-org/dendrite/cmd/dendrite-federation-api-server/main.go index 01305a4c9..dbdc911ad 100644 --- a/src/github.com/matrix-org/dendrite/cmd/dendrite-federation-api-server/main.go +++ b/src/github.com/matrix-org/dendrite/cmd/dendrite-federation-api-server/main.go @@ -15,6 +15,7 @@ package main import ( + "encoding/base64" "net/http" "os" "time" @@ -32,6 +33,14 @@ var ( logDir = os.Getenv("LOG_DIR") serverName = gomatrixserverlib.ServerName(os.Getenv("SERVER_NAME")) serverKey = os.Getenv("SERVER_KEY") + // Base64 encoded SHA256 TLS fingerprint of the X509 certificate used by + // the public federation listener for this server. + // Can be generated from a PEM certificate called "server.crt" using: + // + // openssl x509 -noout -fingerprint -sha256 -inform pem -in server.crt |\ + // python -c 'print raw_input()[19:].replace(":","").decode("hex").encode("base64").rstrip("=\n")' + // + tlsFingerprint = os.Getenv("TLS_FINGERPRINT") ) func main() { @@ -44,14 +53,15 @@ func main() { serverName = "localhost" } + if tlsFingerprint == "" { + log.Panic("No TLS_FINGERPRINT environment variable found.") + } + cfg := config.FederationAPI{ ServerName: serverName, // TODO: make the validity period configurable. ValidityPeriod: 24 * time.Hour, } - cfg.TLSFingerPrints = []gomatrixserverlib.TLSFingerprint{ - {[]byte("o\xe2\xd1\x05A7g\xd6=\x10\xdfq\x9e4\xb1:/\x9co>\x01g\x1d\xb8\xbebFf]\xf0\x89N")}, - } var err error cfg.KeyID, cfg.PrivateKey, err = common.ReadKey(serverKey) @@ -59,6 +69,12 @@ func main() { log.Panicf("Failed to load private key: %s", err) } + var fingerprintSHA256 []byte + if fingerprintSHA256, err = base64.RawStdEncoding.DecodeString(tlsFingerprint); err != nil { + log.Panicf("Failed to load TLS fingerprint: %s", err) + } + cfg.TLSFingerPrints = []gomatrixserverlib.TLSFingerprint{{fingerprintSHA256}} + routing.Setup(http.DefaultServeMux, cfg) log.Fatal(http.ListenAndServe(bindAddr, nil)) }