From d66e5aacb7955546f705f26ab6b3530c97e2d936 Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Thu, 6 Jun 2019 11:08:39 +0100 Subject: [PATCH 01/21] 1.0 upgrade notes --- UPGRADE.rst | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/UPGRADE.rst b/UPGRADE.rst index 228222d53422..8b7b745836e0 100644 --- a/UPGRADE.rst +++ b/UPGRADE.rst @@ -49,6 +49,51 @@ returned by the Client-Server API: # configured on port 443. curl -kv https:///_matrix/client/versions 2>&1 | grep "Server:" +Upgrading to v1.0 +================= + +Validation of TLS certificates Synapse v1.0 is the first release to enforce +validation of TLS certificates for the federation API. It is therefore +essential that your certificates are correctly configured. See the `FAQ +`_ for more information. + +Note, v1.0 installations will also no longer be able to federate with servers +that have not correctly configured their certificates. + +In rare cases, it may be desirable to disable certificate checking: for +example, it might be essential to be able to federate with a given legacy +server in a closed federation. This can be done in one of two ways:- * +Configure the global switch ``federation_verify_certificates`` to ``false``. * +Configure a whitelist of server domains to trust via +``federation_certificate_verification_whitelist``. + +See the `sample configuration file +`_ +for more details on these settings. Password reset emails When a user requests +a password reset, Synapse will send an email to the user to confirm the +request. + +Previous versions of Synapse delegated the job of sending this email to an +identity server. If the identity server was somehow malicious or became +compromised, it would be theoretically possible to hijack an account through +this means. + +Therefore, by default, Synapse v1.0 will send the confirmation email itself. If +Synapse is not configured with an SMTP server, password reset via email will be +disabled. + +To configure an SMTP server for Synapse, modify the configuration section +headed ``email``, and be sure to have at least the ``smtp_host``, ``smtp_port`` +and ``notif_from`` fields filled out. You may also need to set ``smtp_user``, +``smtp_pass``, and ``require_transport_security``.. + +If you are absolutely certain that you wish to continue using an identity +server for email, set ``enable_password_reset_from_is`` to ``true``. + +See the `sample configuration file +`_ +for more details on these settings. + Upgrading to v0.99.0 ==================== From fc45a323eec982f27470b7ead0b01b41eb9e34bf Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Thu, 6 Jun 2019 11:45:25 +0100 Subject: [PATCH 02/21] include details of smtp configuration --- INSTALL.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/INSTALL.md b/INSTALL.md index 1934593148c8..eb79ee1827c1 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -397,6 +397,27 @@ To configure Synapse to expose an HTTPS port, you will need to edit For those of you upgrading your TLS certificate in readiness for Synapse 1.0, please take a look at [our guide](docs/MSC1711_certificates_FAQ.md#configuring-certificates-for-compatibility-with-synapse-100). +## Email +Email +It is desirable for Synapse to have the capability to send email, particularly +in the case of password reset. + +To configure an SMTP server for Synapse, modify the configuration section +headed ``email``, and be sure to have at least the ``smtp_host``, ``smtp_port`` +and ``notif_from`` fields filled out. You may also need to set ``smtp_user``, +``smtp_pass``, and ``require_transport_security``.. + +If Synapse is not configured with an SMTP server, password reset via email will + be disabled. + +Previous versions of Synapse delegated the job of sending this email to an +identity server. If the identity server was somehow malicious or became +compromised, it would be theoretically possible to hijack an account through +this means. + +If you are absolutely certain that you wish to continue using an identity +server for email, set ``enable_password_reset_from_is`` to ``true``. + ## Registering a user You will need at least one user on your server in order to use a Matrix From 4f810e572620554b13a24acb6fc9a90897ffd6fa Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Thu, 6 Jun 2019 11:46:17 +0100 Subject: [PATCH 03/21] update timeline --- docs/MSC1711_certificates_FAQ.md | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/docs/MSC1711_certificates_FAQ.md b/docs/MSC1711_certificates_FAQ.md index 37f7f669c948..599462bdcb73 100644 --- a/docs/MSC1711_certificates_FAQ.md +++ b/docs/MSC1711_certificates_FAQ.md @@ -68,16 +68,14 @@ Admins should upgrade and configure a valid CA cert. Homeservers that require a .well-known entry (see below), should retain their SRV record and use it alongside their .well-known record. -**>= 5th March 2019 - Synapse 1.0.0 is released** +**10th June 2019 - Synapse 1.0.0 is released** -1.0.0 will land no sooner than 1 month after 0.99.0, leaving server admins one -month after 5th February to upgrade to 0.99.0 and deploy their certificates. In +1.0.0 is scheduled for release on 10th June. In accordance with the the [S2S spec](https://matrix.org/docs/spec/server_server/r0.1.0.html) 1.0.0 will enforce certificate validity. This means that any homeserver without a valid certificate after this point will no longer be able to federate with 1.0.0 servers. - ## Configuring certificates for compatibility with Synapse 1.0.0 ### If you do not currently have an SRV record @@ -146,9 +144,9 @@ You can do this with a `.well-known` file as follows: with Synapse 0.34 and earlier. 2. Give Synapse a certificate corresponding to the target domain - (`customer.example.net` in the above example). You can either use Synapse's - built-in [ACME support](./ACME.md) for this (via the `domain` parameter in - the `acme` section), or acquire a certificate yourself and give it to + (`customer.example.net` in the above example). You can either use Synapse's + built-in [ACME support](./ACME.md) for this (via the `domain` parameter in + the `acme` section), or acquire a certificate yourself and give it to Synapse via `tls_certificate_path` and `tls_private_key_path`. 3. Restart Synapse to ensure the new certificate is loaded. From 4bd4659ba3b11026b687cc0128cffc26e76a05aa Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Thu, 6 Jun 2019 12:00:18 +0100 Subject: [PATCH 04/21] towncrier --- changelog.d/5371.feature | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/5371.feature diff --git a/changelog.d/5371.feature b/changelog.d/5371.feature new file mode 100644 index 000000000000..7f960630e01a --- /dev/null +++ b/changelog.d/5371.feature @@ -0,0 +1 @@ +Update upgrade and installation guides ahead of 1.0. From 2502f5f48bcbd760be9a183b4e727dfa984fc2f1 Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Thu, 6 Jun 2019 13:26:16 +0100 Subject: [PATCH 05/21] Update INSTALL.md Co-Authored-By: Brendan Abolivier --- INSTALL.md | 1 - 1 file changed, 1 deletion(-) diff --git a/INSTALL.md b/INSTALL.md index eb79ee1827c1..c87808439985 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -398,7 +398,6 @@ For those of you upgrading your TLS certificate in readiness for Synapse 1.0, please take a look at [our guide](docs/MSC1711_certificates_FAQ.md#configuring-certificates-for-compatibility-with-synapse-100). ## Email -Email It is desirable for Synapse to have the capability to send email, particularly in the case of password reset. From 097d2652f7b3297f4406f0a7a8d5a33972adecb4 Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Thu, 6 Jun 2019 13:27:13 +0100 Subject: [PATCH 06/21] Update INSTALL.md Co-Authored-By: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> --- INSTALL.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/INSTALL.md b/INSTALL.md index c87808439985..7200a28330d5 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -415,7 +415,8 @@ compromised, it would be theoretically possible to hijack an account through this means. If you are absolutely certain that you wish to continue using an identity -server for email, set ``enable_password_reset_from_is`` to ``true``. +server for email, set ``disable_local_password_reset`` to ``true`` +under the ``email:`` configuration section. ## Registering a user From 3a7f6b65a2ab02245b969367c4f1afa368636fbc Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Thu, 6 Jun 2019 13:27:25 +0100 Subject: [PATCH 07/21] Update UPGRADE.rst Co-Authored-By: Brendan Abolivier --- UPGRADE.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/UPGRADE.rst b/UPGRADE.rst index 8b7b745836e0..8b5351f46637 100644 --- a/UPGRADE.rst +++ b/UPGRADE.rst @@ -88,7 +88,7 @@ and ``notif_from`` fields filled out. You may also need to set ``smtp_user``, ``smtp_pass``, and ``require_transport_security``.. If you are absolutely certain that you wish to continue using an identity -server for email, set ``enable_password_reset_from_is`` to ``true``. +server for password resets, set ``enable_password_reset_from_is`` to ``true``. See the `sample configuration file `_ From a112d28963aa479927e7763fbe03ef70c541d708 Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Thu, 6 Jun 2019 13:30:17 +0100 Subject: [PATCH 08/21] fix typo --- UPGRADE.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/UPGRADE.rst b/UPGRADE.rst index 8b7b745836e0..813cdb9b65a1 100644 --- a/UPGRADE.rst +++ b/UPGRADE.rst @@ -69,7 +69,7 @@ Configure a whitelist of server domains to trust via See the `sample configuration file `_ -for more details on these settings. Password reset emails When a user requests +for more details on these settings. When a user requests a password reset, Synapse will send an email to the user to confirm the request. From 499ff39b12e118b056f174301a5f241435df0b2e Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Thu, 6 Jun 2019 16:03:41 +0100 Subject: [PATCH 09/21] Update INSTALL.md Co-Authored-By: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> --- INSTALL.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/INSTALL.md b/INSTALL.md index 7200a28330d5..7540f04092c8 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -398,7 +398,8 @@ For those of you upgrading your TLS certificate in readiness for Synapse 1.0, please take a look at [our guide](docs/MSC1711_certificates_FAQ.md#configuring-certificates-for-compatibility-with-synapse-100). ## Email -It is desirable for Synapse to have the capability to send email, particularly + +It is desirable for Synapse to have the capability to send email. in the case of password reset. To configure an SMTP server for Synapse, modify the configuration section From 1a9ef1d4006d3964906d23021e0069875172ad21 Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Thu, 6 Jun 2019 16:04:19 +0100 Subject: [PATCH 10/21] Update INSTALL.md Co-Authored-By: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> --- INSTALL.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/INSTALL.md b/INSTALL.md index 7540f04092c8..20a7a173819b 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -400,7 +400,7 @@ please take a look at [our guide](docs/MSC1711_certificates_FAQ.md#configuring-c ## Email It is desirable for Synapse to have the capability to send email. -in the case of password reset. +For example, this is required to support the 'password reset' feature. To configure an SMTP server for Synapse, modify the configuration section headed ``email``, and be sure to have at least the ``smtp_host``, ``smtp_port`` From 721b15978956684939b64191f46ab7a874dbaa6b Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Thu, 6 Jun 2019 16:10:36 +0100 Subject: [PATCH 11/21] Update INSTALL.md Co-Authored-By: Brendan Abolivier --- INSTALL.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/INSTALL.md b/INSTALL.md index 20a7a173819b..953ca078ce32 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -416,7 +416,7 @@ compromised, it would be theoretically possible to hijack an account through this means. If you are absolutely certain that you wish to continue using an identity -server for email, set ``disable_local_password_reset`` to ``true`` +server for password resets, set ``disable_local_password_reset`` to ``true`` under the ``email:`` configuration section. ## Registering a user From fc7b6584a105db27f8e124b37644f13b3f3b2060 Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Thu, 6 Jun 2019 16:12:36 +0100 Subject: [PATCH 12/21] Update UPGRADE.rst Co-Authored-By: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> --- UPGRADE.rst | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/UPGRADE.rst b/UPGRADE.rst index 134c21df0658..c67d9aaae021 100644 --- a/UPGRADE.rst +++ b/UPGRADE.rst @@ -52,7 +52,10 @@ returned by the Client-Server API: Upgrading to v1.0 ================= -Validation of TLS certificates Synapse v1.0 is the first release to enforce +Validation of TLS certificates +------------------------------ + +Synapse v1.0 is the first release to enforce validation of TLS certificates for the federation API. It is therefore essential that your certificates are correctly configured. See the `FAQ `_ for more information. From bd57760163551f8bb3910df58a0f003aae21c47e Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Thu, 6 Jun 2019 16:16:32 +0100 Subject: [PATCH 13/21] Update UPGRADE.rst Co-Authored-By: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> --- UPGRADE.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/UPGRADE.rst b/UPGRADE.rst index c67d9aaae021..9f73e9e7fa17 100644 --- a/UPGRADE.rst +++ b/UPGRADE.rst @@ -68,7 +68,7 @@ example, it might be essential to be able to federate with a given legacy server in a closed federation. This can be done in one of two ways:- * Configure the global switch ``federation_verify_certificates`` to ``false``. * Configure a whitelist of server domains to trust via -``federation_certificate_verification_whitelist``. + ``federation_certificate_verification_whitelist``. See the `sample configuration file `_ From 9af2b55f762b764705784c3c0fb224b328ec2414 Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Thu, 6 Jun 2019 16:35:11 +0100 Subject: [PATCH 14/21] Update UPGRADE.rst Co-Authored-By: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> --- UPGRADE.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/UPGRADE.rst b/UPGRADE.rst index 9f73e9e7fa17..d7b64b372845 100644 --- a/UPGRADE.rst +++ b/UPGRADE.rst @@ -93,7 +93,7 @@ and ``notif_from`` fields filled out. You may also need to set ``smtp_user``, If you are absolutely certain that you wish to continue using an identity server for password resets, set ``enable_password_reset_from_is`` to ``true``. -See the `sample configuration file +See the `sample configuration file `_ `_ for more details on these settings. From 78b155649cb3334e0cdeda232c60390c1509aa04 Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Thu, 6 Jun 2019 16:35:38 +0100 Subject: [PATCH 15/21] Update UPGRADE.rst Co-Authored-By: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> --- UPGRADE.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/UPGRADE.rst b/UPGRADE.rst index d7b64b372845..978e4b403bcf 100644 --- a/UPGRADE.rst +++ b/UPGRADE.rst @@ -94,7 +94,6 @@ If you are absolutely certain that you wish to continue using an identity server for password resets, set ``enable_password_reset_from_is`` to ``true``. See the `sample configuration file `_ -`_ for more details on these settings. Upgrading to v0.99.0 From 588c18bb5bc5a92937eac4aeff476582bd3b8f88 Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Thu, 6 Jun 2019 16:45:46 +0100 Subject: [PATCH 16/21] style and typos --- INSTALL.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/INSTALL.md b/INSTALL.md index 953ca078ce32..a4a72b36b174 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -408,15 +408,14 @@ and ``notif_from`` fields filled out. You may also need to set ``smtp_user``, ``smtp_pass``, and ``require_transport_security``.. If Synapse is not configured with an SMTP server, password reset via email will - be disabled. + be disabled by default. -Previous versions of Synapse delegated the job of sending this email to an -identity server. If the identity server was somehow malicious or became -compromised, it would be theoretically possible to hijack an account through -this means. +Alternatively it is possible delegate the sending of email to the server's identity server. +Doing so is convenient but not recommended, since a malicious or compromised identity server could +theoretically hijack a given user's account by redirecting mail. -If you are absolutely certain that you wish to continue using an identity -server for password resets, set ``disable_local_password_reset`` to ``true`` +If you are absolutely certain that you wish to use the server's identity +server for password resets, set ``trust_identity_server_for_password_resets`` to ``true`` under the ``email:`` configuration section. ## Registering a user From 7c110e43ee9eedf8434a94afcdeeda709c9c25ab Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Thu, 6 Jun 2019 16:46:26 +0100 Subject: [PATCH 17/21] style and typos --- UPGRADE.rst | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/UPGRADE.rst b/UPGRADE.rst index 9f73e9e7fa17..f69b33b9e527 100644 --- a/UPGRADE.rst +++ b/UPGRADE.rst @@ -52,7 +52,7 @@ returned by the Client-Server API: Upgrading to v1.0 ================= -Validation of TLS certificates +Validation of TLS certificates ------------------------------ Synapse v1.0 is the first release to enforce @@ -65,9 +65,9 @@ that have not correctly configured their certificates. In rare cases, it may be desirable to disable certificate checking: for example, it might be essential to be able to federate with a given legacy -server in a closed federation. This can be done in one of two ways:- * -Configure the global switch ``federation_verify_certificates`` to ``false``. * -Configure a whitelist of server domains to trust via +server in a closed federation. This can be done in one of two ways:- + * Configure the global switch ``federation_verify_certificates`` to ``false``. + * Configure a whitelist of server domains to trust via ``federation_certificate_verification_whitelist``. See the `sample configuration file @@ -91,7 +91,7 @@ and ``notif_from`` fields filled out. You may also need to set ``smtp_user``, ``smtp_pass``, and ``require_transport_security``.. If you are absolutely certain that you wish to continue using an identity -server for password resets, set ``enable_password_reset_from_is`` to ``true``. +server for password resets, set ``trust_identity_server_for_password_resets`` to ``true``. See the `sample configuration file `_ From f45030d8d7d9ef6cc855c92b7c1b4823578953b3 Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Thu, 6 Jun 2019 16:56:54 +0100 Subject: [PATCH 18/21] style typos --- INSTALL.md | 19 ++++++++++--------- UPGRADE.rst | 3 +-- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/INSTALL.md b/INSTALL.md index a4a72b36b174..bda6741cb20f 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -394,13 +394,13 @@ To configure Synapse to expose an HTTPS port, you will need to edit instance, if using certbot, use `fullchain.pem` as your certificate, not `cert.pem`). -For those of you upgrading your TLS certificate in readiness for Synapse 1.0, +For those of you upgrading your TLS certificate for Synapse 1.0 compliance, please take a look at [our guide](docs/MSC1711_certificates_FAQ.md#configuring-certificates-for-compatibility-with-synapse-100). ## Email -It is desirable for Synapse to have the capability to send email. -For example, this is required to support the 'password reset' feature. +It is desirable for Synapse to have the capability to send email. For example, +this is required to support the 'password reset' feature. To configure an SMTP server for Synapse, modify the configuration section headed ``email``, and be sure to have at least the ``smtp_host``, ``smtp_port`` @@ -410,13 +410,14 @@ and ``notif_from`` fields filled out. You may also need to set ``smtp_user``, If Synapse is not configured with an SMTP server, password reset via email will be disabled by default. -Alternatively it is possible delegate the sending of email to the server's identity server. -Doing so is convenient but not recommended, since a malicious or compromised identity server could -theoretically hijack a given user's account by redirecting mail. +Alternatively it is possible delegate the sending of email to the server's +identity server. Doing so is convenient but not recommended, since a malicious +or compromised identity server could theoretically hijack a given user's +account by redirecting mail. -If you are absolutely certain that you wish to use the server's identity -server for password resets, set ``trust_identity_server_for_password_resets`` to ``true`` -under the ``email:`` configuration section. +If you are absolutely certain that you wish to use the server's identity server +for password resets, set ``trust_identity_server_for_password_resets`` to +``true`` under the ``email:`` configuration section. ## Registering a user diff --git a/UPGRADE.rst b/UPGRADE.rst index 3cc1dbb344b6..06f667cae4c5 100644 --- a/UPGRADE.rst +++ b/UPGRADE.rst @@ -70,8 +70,7 @@ server in a closed federation. This can be done in one of two ways:- * Configure a whitelist of server domains to trust via ``federation_certificate_verification_whitelist``. -See the `sample configuration file -`_ +See the `sample configuration file `_ for more details on these settings. When a user requests a password reset, Synapse will send an email to the user to confirm the request. From aab115360f001f2866998617aeb308138f329e92 Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Thu, 6 Jun 2019 17:00:38 +0100 Subject: [PATCH 19/21] typos --- UPGRADE.rst | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/UPGRADE.rst b/UPGRADE.rst index 06f667cae4c5..d0310abec36e 100644 --- a/UPGRADE.rst +++ b/UPGRADE.rst @@ -71,9 +71,12 @@ server in a closed federation. This can be done in one of two ways:- ``federation_certificate_verification_whitelist``. See the `sample configuration file `_ -for more details on these settings. When a user requests -a password reset, Synapse will send an email to the user to confirm the -request. +for more details on these settings. + +Email +----- +When a user requests a password reset, Synapse will send an email to the +user to confirm the request. Previous versions of Synapse delegated the job of sending this email to an identity server. If the identity server was somehow malicious or became @@ -87,7 +90,7 @@ disabled. To configure an SMTP server for Synapse, modify the configuration section headed ``email``, and be sure to have at least the ``smtp_host``, ``smtp_port`` and ``notif_from`` fields filled out. You may also need to set ``smtp_user``, -``smtp_pass``, and ``require_transport_security``.. +``smtp_pass``, and ``require_transport_security``. If you are absolutely certain that you wish to continue using an identity server for password resets, set ``trust_identity_server_for_password_resets`` to ``true``. From 1bcd521f6e9afdb64953095e0d1868436f0951e3 Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Thu, 6 Jun 2019 17:03:28 +0100 Subject: [PATCH 20/21] Update INSTALL.md --- INSTALL.md | 1 + 1 file changed, 1 insertion(+) diff --git a/INSTALL.md b/INSTALL.md index bda6741cb20f..d3a450f40f57 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -5,6 +5,7 @@ * [Prebuilt packages](#prebuilt-packages) * [Setting up Synapse](#setting-up-synapse) * [TLS certificates](#tls-certificates) + * [Email](#email) * [Registering a user](#registering-a-user) * [Setting up a TURN server](#setting-up-a-turn-server) * [URL previews](#url-previews) From 2ec57c5d168971de1d2663e80189f4bcd3940c15 Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Thu, 6 Jun 2019 17:07:25 +0100 Subject: [PATCH 21/21] Update UPGRADE.rst --- UPGRADE.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/UPGRADE.rst b/UPGRADE.rst index d0310abec36e..6032a505c945 100644 --- a/UPGRADE.rst +++ b/UPGRADE.rst @@ -66,9 +66,9 @@ that have not correctly configured their certificates. In rare cases, it may be desirable to disable certificate checking: for example, it might be essential to be able to federate with a given legacy server in a closed federation. This can be done in one of two ways:- - * Configure the global switch ``federation_verify_certificates`` to ``false``. - * Configure a whitelist of server domains to trust via - ``federation_certificate_verification_whitelist``. + +* Configure the global switch ``federation_verify_certificates`` to ``false``. +* Configure a whitelist of server domains to trust via ``federation_certificate_verification_whitelist``. See the `sample configuration file `_ for more details on these settings.