diff options
| author | Andrew Morgan <andrew@amorgan.xyz> | 2019-03-29 14:09:07 +0000 |
|---|---|---|
| committer | Andrew Morgan <andrew@amorgan.xyz> | 2019-03-29 14:09:07 +0000 |
| commit | 5fd4cd0ddd69f1ed9b6683e1e51edf71fa5208e8 (patch) | |
| tree | ff346f71e08e4c0b4eed22f1d790196e41a70d6a | |
| parent | Config option for verifying federation certificates (diff) | |
| download | synapse-5fd4cd0ddd69f1ed9b6683e1e51edf71fa5208e8.tar.xz | |
Whitelist per domain
| -rw-r--r-- | synapse/crypto/context_factory.py | 18 | ||||
| -rw-r--r-- | synapse/http/federation/matrix_federation_agent.py | 3 |
2 files changed, 16 insertions, 5 deletions
diff --git a/synapse/crypto/context_factory.py b/synapse/crypto/context_factory.py index 96eeb862d1..b99159dbbd 100644 --- a/synapse/crypto/context_factory.py +++ b/synapse/crypto/context_factory.py @@ -127,8 +127,20 @@ class ClientTLSOptionsFactory(object): to remote servers for federation.""" def __init__(self, config): - self._options = CertificateOptions(verify=config.federation_verify_certificates) + # We don't use config options yet + self._options_validate = CertificateOptions(verify=True) + self._options_novalidate = CertificateOptions(verify=False) - def get_options(self, host): + def get_options(self, host, config): # Use _makeContext so that we get a fresh OpenSSL CTX each time. - return ClientTLSOptions(host, self._options._makeContext()) + + # Check if certificate validation has been enabled + if config.federation_verify_certificates: + # Check if this host is whitelisted + if host in config.federation_certificate_validation_whitelist: + return ClientTLSOptions(host, self._options_novalidate._makeContext()) + + # Otherwise require validation + return ClientTLSOptions(host, self._options_validate._makeContext()) + + return ClientTLSOptions(host, self._options_novalidate._makeContext()) diff --git a/synapse/http/federation/matrix_federation_agent.py b/synapse/http/federation/matrix_federation_agent.py index b254faa4e1..8985649227 100644 --- a/synapse/http/federation/matrix_federation_agent.py +++ b/synapse/http/federation/matrix_federation_agent.py @@ -148,9 +148,8 @@ class MatrixFederationAgent(object): if self._tls_client_options_factory is None: tls_options = None else: - # TODO: Check the server we're sending to here and change verify value if necessary tls_options = self._tls_client_options_factory.get_options( - res.tls_server_name.decode("ascii") + res.tls_server_name.decode("ascii"), self.hs.config, ) # make sure that the Host header is set correctly |