summary refs log tree commit diff
path: root/synapse/crypto/context_factory.py
diff options
context:
space:
mode:
authorJeroen <vo.jeroen@gmail.com>2018-06-24 22:38:43 +0200
committerJeroen <vo.jeroen@gmail.com>2018-06-24 22:38:43 +0200
commit3d605853c8e649ab4b3f91fb0a32cc77ef05d71f (patch)
treea7528c2dcf069b50cbe6571bb29bf42610ab3d21 /synapse/crypto/context_factory.py
parentRevert "Merge pull request #3431 from matrix-org/rav/erasure_visibility" (diff)
downloadsynapse-3d605853c8e649ab4b3f91fb0a32cc77ef05d71f.tar.xz
send SNI for federation requests
Diffstat (limited to 'synapse/crypto/context_factory.py')
-rw-r--r--synapse/crypto/context_factory.py34
1 files changed, 33 insertions, 1 deletions
diff --git a/synapse/crypto/context_factory.py b/synapse/crypto/context_factory.py
index 0397f73ab4..297a5fb045 100644
--- a/synapse/crypto/context_factory.py
+++ b/synapse/crypto/context_factory.py
@@ -14,7 +14,8 @@
 
 from twisted.internet import ssl
 from OpenSSL import SSL, crypto
-from twisted.internet._sslverify import _defaultCurveName
+from twisted.internet._sslverify import _defaultCurveName, ClientTLSOptions, OpenSSLCertificateOptions, \
+    optionsForClientTLS
 
 import logging
 
@@ -48,3 +49,34 @@ class ServerContextFactory(ssl.ContextFactory):
 
     def getContext(self):
         return self._context
+
+
+class ClientTLSOptionsNoCertVerification(ClientTLSOptions):
+    """Redefinition of ClientTLSOptions to completely ignore certificate
+    validation. Should be kept in sync with the original class in Twisted.
+    This version of ClientTLSOptions is only intended for development use."""
+
+    def __init__(self, *args, **kwargs):
+        super(ClientTLSOptionsNoCertVerification, self).__init__(*args, **kwargs)
+
+        def do_nothing(*_args, **_kwargs):
+            pass
+
+        self._ctx.set_info_callback(do_nothing)
+
+
+class ClientTLSOptionsFactory(object):
+    """Factory for Twisted ClientTLSOptions that are used to make connections
+    to remote servers for federation."""
+
+    def __init__(self, config):
+        self._ignore_certificate_validation = config.tls_ignore_certificate_validation
+
+    def get_options(self, host):
+        if self._ignore_certificate_validation:
+            return ClientTLSOptionsNoCertVerification(
+                unicode(host),
+                OpenSSLCertificateOptions(verify=False).getContext()
+            )
+        else:
+            return optionsForClientTLS(unicode(host))