send SNI for federation requests

2024-11-25 19:15:51 +03:00 · 2018-06-24 22:38:43 +02:00 · 2018-06-24 22:38:43 +02:00 · 3d605853c8
commit 3d605853c8
parent 1d009013b3
15 changed files with 71 additions and 13 deletions
--- a/synapse/app/client_reader.py
+++ b/synapse/app/client_reader.py
@ -153,11 +153,13 @@ def start(config_options):
    database_engine = create_engine(config.database_config)
    tls_server_context_factory = context_factory.ServerContextFactory(config)
    tls_client_options_factory = context_factory.ClientTLSOptionsFactory(config)
    ss = ClientReaderServer(
        config.server_name,
        db_config=config.database_config,
        tls_server_context_factory=tls_server_context_factory,
        tls_client_options_factory=tls_client_options_factory,
        config=config,
        version_string="Synapse/" + get_version_string(synapse),
        database_engine=database_engine,
--- a/synapse/app/event_creator.py
+++ b/synapse/app/event_creator.py
@ -171,11 +171,13 @@ def start(config_options):
    database_engine = create_engine(config.database_config)
    tls_server_context_factory = context_factory.ServerContextFactory(config)
    tls_client_options_factory = context_factory.ClientTLSOptionsFactory(config)
    ss = EventCreatorServer(
        config.server_name,
        db_config=config.database_config,
        tls_server_context_factory=tls_server_context_factory,
        tls_client_options_factory=tls_client_options_factory,
        config=config,
        version_string="Synapse/" + get_version_string(synapse),
        database_engine=database_engine,
--- a/synapse/app/federation_reader.py
+++ b/synapse/app/federation_reader.py
@ -142,11 +142,13 @@ def start(config_options):
    database_engine = create_engine(config.database_config)
    tls_server_context_factory = context_factory.ServerContextFactory(config)
    tls_client_options_factory = context_factory.ClientTLSOptionsFactory(config)
    ss = FederationReaderServer(
        config.server_name,
        db_config=config.database_config,
        tls_server_context_factory=tls_server_context_factory,
        tls_client_options_factory=tls_client_options_factory,
        config=config,
        version_string="Synapse/" + get_version_string(synapse),
        database_engine=database_engine,
--- a/synapse/app/federation_sender.py
+++ b/synapse/app/federation_sender.py
@ -185,11 +185,13 @@ def start(config_options):
    config.send_federation = True
    tls_server_context_factory = context_factory.ServerContextFactory(config)
    tls_client_options_factory = context_factory.ClientTLSOptionsFactory(config)
    ps = FederationSenderServer(
        config.server_name,
        db_config=config.database_config,
        tls_server_context_factory=tls_server_context_factory,
        tls_client_options_factory=tls_client_options_factory,
        config=config,
        version_string="Synapse/" + get_version_string(synapse),
        database_engine=database_engine,
--- a/synapse/app/frontend_proxy.py
+++ b/synapse/app/frontend_proxy.py
@ -209,11 +209,13 @@ def start(config_options):
    database_engine = create_engine(config.database_config)
    tls_server_context_factory = context_factory.ServerContextFactory(config)
    tls_client_options_factory = context_factory.ClientTLSOptionsFactory(config)
    ss = FrontendProxyServer(
        config.server_name,
        db_config=config.database_config,
        tls_server_context_factory=tls_server_context_factory,
        tls_client_options_factory=tls_client_options_factory,
        config=config,
        version_string="Synapse/" + get_version_string(synapse),
        database_engine=database_engine,
--- a/synapse/app/homeserver.py
+++ b/synapse/app/homeserver.py
@ -321,6 +321,7 @@ def setup(config_options):
    events.USE_FROZEN_DICTS = config.use_frozen_dicts
    tls_server_context_factory = context_factory.ServerContextFactory(config)
    tls_client_options_factory = context_factory.ClientTLSOptionsFactory(config)
    database_engine = create_engine(config.database_config)
    config.database_config["args"]["cp_openfun"] = database_engine.on_new_connection
@ -329,6 +330,7 @@ def setup(config_options):
        config.server_name,
        db_config=config.database_config,
        tls_server_context_factory=tls_server_context_factory,
        tls_client_options_factory=tls_client_options_factory,
        config=config,
        version_string="Synapse/" + get_version_string(synapse),
        database_engine=database_engine,
--- a/synapse/app/media_repository.py
+++ b/synapse/app/media_repository.py
@ -156,11 +156,13 @@ def start(config_options):
    database_engine = create_engine(config.database_config)
    tls_server_context_factory = context_factory.ServerContextFactory(config)
    tls_client_options_factory = context_factory.ClientTLSOptionsFactory(config)
    ss = MediaRepositoryServer(
        config.server_name,
        db_config=config.database_config,
        tls_server_context_factory=tls_server_context_factory,
        tls_client_options_factory=tls_client_options_factory,
        config=config,
        version_string="Synapse/" + get_version_string(synapse),
        database_engine=database_engine,
--- a/synapse/app/user_dir.py
+++ b/synapse/app/user_dir.py
@ -213,11 +213,13 @@ def start(config_options):
    config.update_user_directory = True
    tls_server_context_factory = context_factory.ServerContextFactory(config)
    tls_client_options_factory = context_factory.ClientTLSOptionsFactory(config)
    ps = UserDirectoryServer(
        config.server_name,
        db_config=config.database_config,
        tls_server_context_factory=tls_server_context_factory,
        tls_client_options_factory=tls_client_options_factory,
        config=config,
        version_string="Synapse/" + get_version_string(synapse),
        database_engine=database_engine,
--- a/synapse/config/tls.py
+++ b/synapse/config/tls.py
@ -47,6 +47,8 @@ class TlsConfig(Config):
        self.tls_fingerprints = config["tls_fingerprints"]
        self.tls_ignore_certificate_validation = config.get("tls_ignore_certificate_validation", False)
        # Check that our own certificate is included in the list of fingerprints
        # and include it if it is not.
        x509_certificate_bytes = crypto.dump_certificate(
@ -73,6 +75,8 @@ class TlsConfig(Config):
        tls_private_key_path = base_key_name + ".tls.key"
        tls_dh_params_path = base_key_name + ".tls.dh"
        tls_ignore_certificate_validation = False
        return """\
        # PEM encoded X509 certificate for TLS.
        # You can replace the self-signed certificate that synapse
@ -117,6 +121,11 @@ class TlsConfig(Config):
        #
        tls_fingerprints: []
        # tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}]
        # Ignore certificate validation for TLS client connections to other
        # homeservers using federation. Don't enable this in a production
        # environment, unless you know what you are doing!
        tls_ignore_certificate_validation: %(tls_ignore_certificate_validation)s
        """ % locals()
    def read_tls_certificate(self, cert_path):
--- a/synapse/crypto/context_factory.py
+++ b/synapse/crypto/context_factory.py
@ -14,7 +14,8 @@
 from twisted.internet import ssl
 from OpenSSL import SSL, crypto
-from twisted.internet._sslverify import _defaultCurveName
+from twisted.internet._sslverify import _defaultCurveName, ClientTLSOptions, OpenSSLCertificateOptions, \
    optionsForClientTLS
 import logging
@ -48,3 +49,34 @@ class ServerContextFactory(ssl.ContextFactory):
    def getContext(self):
        return self._context
 class ClientTLSOptionsNoCertVerification(ClientTLSOptions):
    """Redefinition of ClientTLSOptions to completely ignore certificate
    validation. Should be kept in sync with the original class in Twisted.
    This version of ClientTLSOptions is only intended for development use."""
    def __init__(self, *args, **kwargs):
        super(ClientTLSOptionsNoCertVerification, self).__init__(*args, **kwargs)
        def do_nothing(*_args, **_kwargs):
            pass
        self._ctx.set_info_callback(do_nothing)
 class ClientTLSOptionsFactory(object):
    """Factory for Twisted ClientTLSOptions that are used to make connections
    to remote servers for federation."""
    def __init__(self, config):
        self._ignore_certificate_validation = config.tls_ignore_certificate_validation
    def get_options(self, host):
        if self._ignore_certificate_validation:
            return ClientTLSOptionsNoCertVerification(
                unicode(host),
                OpenSSLCertificateOptions(verify=False).getContext()
            )
        else:
            return optionsForClientTLS(unicode(host))
--- a/synapse/crypto/keyclient.py
+++ b/synapse/crypto/keyclient.py
@ -28,14 +28,14 @@ KEY_API_V1 = b"/_matrix/key/v1/"
@defer.inlineCallbacks
-def fetch_server_key(server_name, ssl_context_factory, path=KEY_API_V1):
+def fetch_server_key(server_name, tls_client_options_factory, path=KEY_API_V1):
    """Fetch the keys for a remote server."""
    factory = SynapseKeyClientFactory()
    factory.path = path
    factory.host = server_name
    endpoint = matrix_federation_endpoint(
-        reactor, server_name, ssl_context_factory, timeout=30
+        reactor, server_name, tls_client_options_factory, timeout=30
    )
    for i in range(5):
--- a/synapse/crypto/keyring.py
+++ b/synapse/crypto/keyring.py
@ -510,7 +510,7 @@ class Keyring(object):
                continue
            (response, tls_certificate) = yield fetch_server_key(
-                server_name, self.hs.tls_server_context_factory,
+                server_name, self.tls_client_options_factory,
                path=(b"/_matrix/key/v2/server/%s" % (
                    urllib.quote(requested_key_id),
                )).encode("ascii"),
@ -653,7 +653,7 @@ class Keyring(object):
        # Try to fetch the key from the remote server.
        (response, tls_certificate) = yield fetch_server_key(
-            server_name, self.hs.tls_server_context_factory
+            server_name, self.hs.tls_client_options_factory
        )
        # Check the response.
--- a/synapse/http/endpoint.py
+++ b/synapse/http/endpoint.py
@ -26,7 +26,6 @@ import time
 logger = logging.getLogger(__name__)
 SERVER_CACHE = {}
 # our record of an individual server which can be tried to reach a destination.
@ -38,15 +37,15 @@ _Server = collections.namedtuple(
 )
-def matrix_federation_endpoint(reactor, destination, ssl_context_factory=None,
+def matrix_federation_endpoint(reactor, destination, tls_client_options_factory=None,
                               timeout=None):
    """Construct an endpoint for the given matrix destination.
    Args:
        reactor: Twisted reactor.
        destination (bytes): The name of the server to connect to.
-        ssl_context_factory (twisted.internet.ssl.ContextFactory): Factory
+        tls_client_options_factory (synapse.crypto.context_factory.ClientTLSOptionsFactory): 
-            which generates SSL contexts to use for TLS.
+            Factory which generates TLS options for client connections.
        timeout (int): connection timeout in seconds
    """
@ -59,13 +58,13 @@ def matrix_federation_endpoint(reactor, destination, ssl_context_factory=None,
    if timeout is not None:
        endpoint_kw_args.update(timeout=timeout)
-    if ssl_context_factory is None:
+    if tls_client_options_factory is None:
        transport_endpoint = HostnameEndpoint
        default_port = 8008
    else:
        def transport_endpoint(reactor, host, port, timeout):
            return wrapClientTLS(
-                ssl_context_factory,
+                tls_client_options_factory.get_options(unicode(host)),
                HostnameEndpoint(reactor, host, port, timeout=timeout))
        default_port = 8448
--- a/synapse/http/matrixfederationclient.py
+++ b/synapse/http/matrixfederationclient.py
@ -62,14 +62,14 @@ MAX_SHORT_RETRIES = 3
 class MatrixFederationEndpointFactory(object):
    def __init__(self, hs):
-        self.tls_server_context_factory = hs.tls_server_context_factory
+        self.tls_client_options_factory = hs.tls_client_options_factory
    def endpointForURI(self, uri):
        destination = uri.netloc
        return matrix_federation_endpoint(
            reactor, destination, timeout=10,
-            ssl_context_factory=self.tls_server_context_factory
+            tls_client_options_factory = self.tls_client_options_factory
        )
--- a/tests/utils.py
+++ b/tests/utils.py
@ -114,6 +114,7 @@ def setup_test_homeserver(name="test", datastore=None, config=None, reactor=None
            database_engine=db_engine,
            room_list_handler=object(),
            tls_server_context_factory=Mock(),
            tls_client_options_factory=Mock(),
            reactor=reactor,
            **kargs
        )
@ -134,6 +135,7 @@ def setup_test_homeserver(name="test", datastore=None, config=None, reactor=None
            database_engine=db_engine,
            room_list_handler=object(),
            tls_server_context_factory=Mock(),
            tls_client_options_factory=Mock(),
            **kargs
        )