Add FAQ questions to federate.md. Add a health warning making it clear that the 1711 upgrade FAQ is now out of date.

Fix bug sending federation transactions with lots of EDUs

Share an SSL context object between SSL connections

Co-Authored-By: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>

If we try and send a transaction with lots of EDUs and we run out of
space, we call get_new_device_msgs_for_remote with a limit of 0, which
then failed.

Add some tests for bad certificates for federation and .well-known connections

turns out we need a shiny version of service_identity to enforce this
correctly.

Some keys are stored in the synapse database with a null valid_until_ms
which caused an exception to be thrown when using that key. We fix this
by treating nulls as zeroes, i.e. they keys will match verification
requests with a minimum_valid_until_ms of zero (i.e. don't validate ts)
but will not match requests with a non-zero minimum_valid_until_ms.

Fixes #5391.

It's not really a problem to trust notary responses signed by the old key so
long as we are also doing TLS validation.

This commit adds a check to the config parsing code at startup to check that
we do not have the insecure matrix.org key without tls validation, and refuses
to start without it.

This allows us to remove the rather alarming-looking warning which happens at
runtime.

This involves changing how the info callbacks work.

Sometimes the build agents get lost or die (error codes -1 and 2). Retry automatically a maximum of 2 times if this happens.

Error code reference:

* -1: Agent was lost
* 0: Build successful
* 1: There was an error in your code
* 2: The build stopped abruptly
* 255: The build was cancelled

fixes #5153 

Set default room version to v4.

Make a full SQL schema

Sends password reset emails from the homeserver instead of proxying to the identity server. This is now the default behaviour for security reasons. If you wish to continue proxying password reset requests to the identity server you must now enable the email.trust_identity_server_for_password_resets option.

This PR is a culmination of 3 smaller PRs which have each been separately reviewed:

* #5308
* #5345
* #5368

There are a few changes going on here:

* We make checking the signature on a key server response optional: if no
  verify_keys are specified, we trust to TLS to validate the connection.

* We change the default config so that it does not require responses to be
  signed by the old key.

* We replace the old 'perspectives' config with 'trusted_key_servers', which
  is also formatted slightly differently.

* We emit a warning to the logs every time we trust a key server response
  signed by the old key.

1.0 upgrade/install notes

* Regen sample config before kicking off agents

* Add changelog

Fixes some warnings, and a scary-looking stacktrace when sytest kills the
process.

Fix get_max_topological_token to never return None

Make /sync return heroes if room name or canonical alias are empty

Validate federation server TLS certificates by default.

add a script to generate new signing_key files