send SNI for federation requests

3 files changed, 37 insertions, 5 deletions

diff --git a/synapse/crypto/context_factory.py b/synapse/crypto/context_factory.py
index 0397f73ab4..297a5fb045 100644
--- a/synapse/crypto/context_factory.py
+++ b/synapse/crypto/context_factory.py
@@ -14,7 +14,8 @@
 
 from twisted.internet import ssl
 from OpenSSL import SSL, crypto
-from twisted.internet._sslverify import _defaultCurveName
+from twisted.internet._sslverify import _defaultCurveName, ClientTLSOptions, OpenSSLCertificateOptions, \
+    optionsForClientTLS
 
 import logging
 
@@ -48,3 +49,34 @@ class ServerContextFactory(ssl.ContextFactory):
 
     def getContext(self):
         return self._context
+
+
+class ClientTLSOptionsNoCertVerification(ClientTLSOptions):
+    """Redefinition of ClientTLSOptions to completely ignore certificate
+    validation. Should be kept in sync with the original class in Twisted.
+    This version of ClientTLSOptions is only intended for development use."""
+
+    def __init__(self, *args, **kwargs):
+        super(ClientTLSOptionsNoCertVerification, self).__init__(*args, **kwargs)
+
+        def do_nothing(*_args, **_kwargs):
+            pass
+
+        self._ctx.set_info_callback(do_nothing)
+
+
+class ClientTLSOptionsFactory(object):
+    """Factory for Twisted ClientTLSOptions that are used to make connections
+    to remote servers for federation."""
+
+    def __init__(self, config):
+        self._ignore_certificate_validation = config.tls_ignore_certificate_validation
+
+    def get_options(self, host):
+        if self._ignore_certificate_validation:
+            return ClientTLSOptionsNoCertVerification(
+                unicode(host),
+                OpenSSLCertificateOptions(verify=False).getContext()
+            )
+        else:
+            return optionsForClientTLS(unicode(host))
diff --git a/synapse/crypto/keyclient.py b/synapse/crypto/keyclient.py
index f1fd488b90..8e48f8a9cf 100644
--- a/synapse/crypto/keyclient.py
+++ b/synapse/crypto/keyclient.py
@@ -28,14 +28,14 @@ KEY_API_V1 = b"/_matrix/key/v1/"
 
 
 @defer.inlineCallbacks
-def fetch_server_key(server_name, ssl_context_factory, path=KEY_API_V1):
+def fetch_server_key(server_name, tls_client_options_factory, path=KEY_API_V1):
     """Fetch the keys for a remote server."""
 
     factory = SynapseKeyClientFactory()
     factory.path = path
     factory.host = server_name
     endpoint = matrix_federation_endpoint(
-        reactor, server_name, ssl_context_factory, timeout=30
+        reactor, server_name, tls_client_options_factory, timeout=30
     )
 
     for i in range(5):
diff --git a/synapse/crypto/keyring.py b/synapse/crypto/keyring.py
index 9b17ef0a08..9a1bb211fb 100644
--- a/synapse/crypto/keyring.py
+++ b/synapse/crypto/keyring.py
@@ -510,7 +510,7 @@ class Keyring(object):
                 continue
 
             (response, tls_certificate) = yield fetch_server_key(
-                server_name, self.hs.tls_server_context_factory,
+                server_name, self.tls_client_options_factory,
                 path=(b"/_matrix/key/v2/server/%s" % (
                     urllib.quote(requested_key_id),
                 )).encode("ascii"),
@@ -653,7 +653,7 @@ class Keyring(object):
         # Try to fetch the key from the remote server.
 
         (response, tls_certificate) = yield fetch_server_key(
-            server_name, self.hs.tls_server_context_factory
+            server_name, self.hs.tls_client_options_factory
         )
 
         # Check the response.