domain globbing

2024-12-21 12:14:29 +03:00 · 2019-04-04 16:20:56 +01:00 · 2019-04-04 16:20:56 +01:00 · 93850f0ac8
commit 93850f0ac8
parent edf2dd4744
3 changed files with 17 additions and 14 deletions
--- a/docs/sample_config.yaml
+++ b/docs/sample_config.yaml
@ -274,8 +274,8 @@ listeners:
 #
 #federation_certificate_verification_whitelist:
 #  - lon.example.com
-#  - nyc.example.com
-#  - syd.example.com
+#  - *.domain.com
+#  - *.onion

 # List of custom certificate authorities for federation traffic.
 #
--- a/synapse/config/tls.py
+++ b/synapse/config/tls.py
@ -27,6 +27,7 @@ from OpenSSL import crypto
 from twisted.internet._sslverify import Certificate, trustRootFromCertificates

 from synapse.config._base import Config, ConfigError
+from synapse.util import glob_to_regex

 logger = logging.getLogger(__name__)

@ -77,14 +78,16 @@ class TlsConfig(Config):
        )

        # Whitelist of domains to not verify certificates for
-        federation_certificate_verification_whitelist = config.get(
+        fed_whitelist_entries = config.get(
            "federation_certificate_verification_whitelist", [],
        )

-        # Store whitelisted domains in a hash for fast lookup
-        self.federation_certificate_verification_whitelist = {}
-        for domain in federation_certificate_verification_whitelist:
-            self.federation_certificate_verification_whitelist[domain] = True
+        # Support globs (*) in whitelist values
+        self.federation_certificate_verification_whitelist = []
+        for entry in fed_whitelist_entries:
+            # Convert globs to regex
+            entry_regex = glob_to_regex(entry)
+            self.federation_certificate_verification_whitelist.append(entry_regex)

        # List of custom certificate authorities for federation traffic validation
        custom_ca_list = config.get(
@ -252,8 +255,8 @@ class TlsConfig(Config):
        #
        #federation_certificate_verification_whitelist:
        #  - lon.example.com
-        #  - nyc.example.com
-        #  - syd.example.com
+        #  - *.domain.com
+        #  - *.onion

        # List of custom certificate authorities for federation traffic.
        #
--- a/synapse/crypto/context_factory.py
+++ b/synapse/crypto/context_factory.py
@ -145,11 +145,11 @@ class ClientTLSOptionsFactory(object):
        should_verify = self._config.federation_verify_certificates

        # Check if we've disabled certificate verification for this host
-        if (
-            should_verify and
-            host in self._config.federation_certificate_verification_whitelist
-        ):
+        if should_verify:
+            for regex in self._config.federation_certificate_verification_whitelist:
+                if regex.match(host):
                    should_verify = False
+                    break

        if should_verify:
            return ClientTLSOptions(host, self._options_verify._makeContext())