mirrors/synapse
1
0
Fork 0
mirror of https://github.com/element-hq/synapse.git synced 2024-12-22 04:34:28 +03:00
Code Issues Projects Releases Packages Wiki Activity

domain globbing

Browse source
This commit is contained in:
Andrew Morgan 2019-04-04 16:20:56 +01:00
parent edf2dd4744
commit 93850f0ac8
3 changed files with 17 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
docs/sample_config.yaml
View file

@ -274,8 +274,8 @@ listeners:
# #
#federation_certificate_verification_whitelist: #federation_certificate_verification_whitelist:
# - lon.example.com # - lon.example.com
# - nyc.example.com # - *.domain.com
# - syd.example.com # - *.onion
# List of custom certificate authorities for federation traffic. # List of custom certificate authorities for federation traffic.
# #

17
synapse/config/tls.py
View file

@ -27,6 +27,7 @@ from OpenSSL import crypto
from twisted.internet._sslverify import Certificate, trustRootFromCertificates from twisted.internet._sslverify import Certificate, trustRootFromCertificates
from synapse.config._base import Config, ConfigError from synapse.config._base import Config, ConfigError
from synapse.util import glob_to_regex
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
@ -77,14 +78,16 @@ class TlsConfig(Config):
) )
# Whitelist of domains to not verify certificates for # Whitelist of domains to not verify certificates for
federation_certificate_verification_whitelist = config.get( fed_whitelist_entries = config.get(
"federation_certificate_verification_whitelist", [], "federation_certificate_verification_whitelist", [],
) )
# Store whitelisted domains in a hash for fast lookup # Support globs (*) in whitelist values
self.federation_certificate_verification_whitelist = {} self.federation_certificate_verification_whitelist = []
for domain in federation_certificate_verification_whitelist: for entry in fed_whitelist_entries:
self.federation_certificate_verification_whitelist[domain] = True # Convert globs to regex
entry_regex = glob_to_regex(entry)
self.federation_certificate_verification_whitelist.append(entry_regex)
# List of custom certificate authorities for federation traffic validation # List of custom certificate authorities for federation traffic validation
custom_ca_list = config.get( custom_ca_list = config.get(
@ -252,8 +255,8 @@ class TlsConfig(Config):
# #
#federation_certificate_verification_whitelist: #federation_certificate_verification_whitelist:
# - lon.example.com # - lon.example.com
# - nyc.example.com # - *.domain.com
# - syd.example.com # - *.onion
# List of custom certificate authorities for federation traffic. # List of custom certificate authorities for federation traffic.
# #

8
synapse/crypto/context_factory.py
View file

@ -145,11 +145,11 @@ class ClientTLSOptionsFactory(object):
should_verify = self._config.federation_verify_certificates should_verify = self._config.federation_verify_certificates
# Check if we've disabled certificate verification for this host # Check if we've disabled certificate verification for this host
if ( if should_verify:
should_verify and for regex in self._config.federation_certificate_verification_whitelist:
host in self._config.federation_certificate_verification_whitelist if regex.match(host):
):
should_verify = False should_verify = False
break
if should_verify: if should_verify:
return ClientTLSOptions(host, self._options_verify._makeContext()) return ClientTLSOptions(host, self._options_verify._makeContext())