richvdh
commented
4 years ago I'm not entirely certain that synapse correctly supports tls 1.3 for outbound connections... any idea?
Closed kujeger closed 4 years ago
richvdh
commented
4 years ago I'm not entirely certain that synapse correctly supports tls 1.3 for outbound connections... any idea?
kujeger
commented
4 years ago It did appear to work fine except for the federation tester prior to this, but I am not 100% sure.
ilmari
commented
4 years ago Having just configured the NGINX in front of my Synapse to only allow TLSv1.3, federation is still working just fine. Go supports TLSv1.3 as of version 1.12, but it's not enabled by default until 1.13: https://golang.org/doc/go1.12#tls_1_3
richvdh
commented
4 years ago some notes for my own reference: it looks like synapse will talk to TLSv1.3 servers out of the box as long as you have openssl 1.1.1: https://wiki.openssl.org/index.php/TLS1.3.
most synapse users will be using the statically-linked openssl that comes with cryptography; that has been 1.1.1 since cryptography v2.5 (https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst#25---2019-01-22).
The main exception to that is synapses using the docker image: see https://github.com/matrix-org/synapse/issues/7000.
Hi there! I noticed I was getting errors in the federation tester since I had set up haproxy for TLS 1.3 only. Enabling TLS 1.2 as well resolved it, but would be nice to have the support!
Thanks for a very useful service!