From 93850f0ac8269a503178952983d52639494187e6 Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Thu, 4 Apr 2019 16:20:56 +0100 Subject: [PATCH] domain globbing --- docs/sample_config.yaml | 4 ++-- synapse/config/tls.py | 17 ++++++++++------- synapse/crypto/context_factory.py | 10 +++++----- 3 files changed, 17 insertions(+), 14 deletions(-) diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml index e1d4ca2eff..9c74dcd186 100644 --- a/docs/sample_config.yaml +++ b/docs/sample_config.yaml @@ -274,8 +274,8 @@ listeners: # #federation_certificate_verification_whitelist: # - lon.example.com -# - nyc.example.com -# - syd.example.com +# - *.domain.com +# - *.onion # List of custom certificate authorities for federation traffic. # diff --git a/synapse/config/tls.py b/synapse/config/tls.py index 162099dc5e..6f76cf80b0 100644 --- a/synapse/config/tls.py +++ b/synapse/config/tls.py @@ -27,6 +27,7 @@ from OpenSSL import crypto from twisted.internet._sslverify import Certificate, trustRootFromCertificates from synapse.config._base import Config, ConfigError +from synapse.util import glob_to_regex logger = logging.getLogger(__name__) @@ -77,14 +78,16 @@ class TlsConfig(Config): ) # Whitelist of domains to not verify certificates for - federation_certificate_verification_whitelist = config.get( + fed_whitelist_entries = config.get( "federation_certificate_verification_whitelist", [], ) - # Store whitelisted domains in a hash for fast lookup - self.federation_certificate_verification_whitelist = {} - for domain in federation_certificate_verification_whitelist: - self.federation_certificate_verification_whitelist[domain] = True + # Support globs (*) in whitelist values + self.federation_certificate_verification_whitelist = [] + for entry in fed_whitelist_entries: + # Convert globs to regex + entry_regex = glob_to_regex(entry) + self.federation_certificate_verification_whitelist.append(entry_regex) # List of custom certificate authorities for federation traffic validation custom_ca_list = config.get( @@ -252,8 +255,8 @@ class TlsConfig(Config): # #federation_certificate_verification_whitelist: # - lon.example.com - # - nyc.example.com - # - syd.example.com + # - *.domain.com + # - *.onion # List of custom certificate authorities for federation traffic. # diff --git a/synapse/crypto/context_factory.py b/synapse/crypto/context_factory.py index 6ebbd3b73c..59ea087e66 100644 --- a/synapse/crypto/context_factory.py +++ b/synapse/crypto/context_factory.py @@ -145,11 +145,11 @@ class ClientTLSOptionsFactory(object): should_verify = self._config.federation_verify_certificates # Check if we've disabled certificate verification for this host - if ( - should_verify and - host in self._config.federation_certificate_verification_whitelist - ): - should_verify = False + if should_verify: + for regex in self._config.federation_certificate_verification_whitelist: + if regex.match(host): + should_verify = False + break if should_verify: return ClientTLSOptions(host, self._options_verify._makeContext())