State-reset and security mitigations.
Upgrade Ruma to present. The following are intentionally benign for activation in a later commit: - Hydra backports not default. - Room version 12 not default. - Room version 12 not listed as stable. Do not enable them manually or you can brick your database. Signed-off-by: Jason Volk <jason@zemos.net>
This commit is contained in:
Jason Volk
@@ -533,20 +533,33 @@
|
||||
#allow_room_creation = true
|
||||
|
||||
# Set to false to disable users from joining or creating room versions
|
||||
# that aren't officially supported by tuwunel.
|
||||
# that aren't officially supported by tuwunel. Unstable room versions may
|
||||
# have flawed specifications or our implementation may be non-conforming.
|
||||
# Correct operation may not be guaranteed, but incorrect operation may be
|
||||
# tolerable and unnoticed.
|
||||
#
|
||||
# tuwunel officially supports room versions 6 - 11.
|
||||
#
|
||||
# tuwunel has slightly experimental (though works fine in practice)
|
||||
# support for versions 3 - 5.
|
||||
# tuwunel officially supports room versions 6+. tuwunel has slightly
|
||||
# experimental (though works fine in practice) support for versions 3 - 5.
|
||||
#
|
||||
#allow_unstable_room_versions = true
|
||||
|
||||
# Set to true to enable experimental room versions.
|
||||
#
|
||||
# Unlike unstable room versions these versions are either under
|
||||
# development, protype spec-changes, or somehow present a serious risk to
|
||||
# the server's operation or database corruption. This is for developer use
|
||||
# only.
|
||||
#
|
||||
#allow_experimental_room_versions = false
|
||||
|
||||
# Default room version tuwunel will create rooms with.
|
||||
#
|
||||
# Per spec, room version 11 is the default.
|
||||
# The default is prescribed by the spec, but may be selected by developer
|
||||
# recommendation. To prevent stale documentation we no longer list it
|
||||
# here. It is only advised to override this if you know what you are
|
||||
# doing, and by doing so, updates with new versions are precluded.
|
||||
#
|
||||
#default_room_version = 11
|
||||
#default_room_version =
|
||||
|
||||
# This item is undocumented. Please contribute documentation for it.
|
||||
#
|
||||
@@ -1615,6 +1628,30 @@
|
||||
#
|
||||
#config_reload_signal = true
|
||||
|
||||
# Backport state-reset security fixes to all room versions.
|
||||
#
|
||||
# This option applies the State Resolution 2.1 mitigation developed during
|
||||
# project Hydra for room version 12 to all prior State Resolution 2.0 room
|
||||
# versions (all room versions supported by this server). These mitigations
|
||||
# increase resilience to state-resets without any new definition of
|
||||
# correctness; therefor it is safe to set this to true for existing rooms.
|
||||
#
|
||||
# Furthermore, state-reset attacks are not consistent as they result in
|
||||
# rooms without any single consensus, therefor it is unnecessary to set
|
||||
# this to false to match other servers which set this to false or simply
|
||||
# lack support; even if replicating the post-reset state suffered by other
|
||||
# servers is somehow desired.
|
||||
#
|
||||
# This option exists for developer and debug use, and as a failsafe in
|
||||
# lieu of hardcoding it.
|
||||
#
|
||||
# This currently defaults to false as a matter of development until
|
||||
# real-world testing can shake out any implementation issues rather than
|
||||
# jeopardize existing rooms, but otherwise will default to true at the
|
||||
# next point release or patch.
|
||||
#
|
||||
#hydra_backports = false
|
||||
|
||||
#[global.tls]
|
||||
|
||||
# Path to a valid TLS certificate file.
|
||||
|
||||
Reference in New Issue
Block a user