diff --git a/synapse/crypto/context_factory.py b/synapse/crypto/context_factory.py
index 0397f73ab4..297a5fb045 100644
--- a/synapse/crypto/context_factory.py
+++ b/synapse/crypto/context_factory.py
@@ -14,7 +14,8 @@
from twisted.internet import ssl
from OpenSSL import SSL, crypto
-from twisted.internet._sslverify import _defaultCurveName
+from twisted.internet._sslverify import _defaultCurveName, ClientTLSOptions, OpenSSLCertificateOptions, \
+ optionsForClientTLS
import logging
@@ -48,3 +49,34 @@ class ServerContextFactory(ssl.ContextFactory):
def getContext(self):
return self._context
+
+
+class ClientTLSOptionsNoCertVerification(ClientTLSOptions):
+ """Redefinition of ClientTLSOptions to completely ignore certificate
+ validation. Should be kept in sync with the original class in Twisted.
+ This version of ClientTLSOptions is only intended for development use."""
+
+ def __init__(self, *args, **kwargs):
+ super(ClientTLSOptionsNoCertVerification, self).__init__(*args, **kwargs)
+
+ def do_nothing(*_args, **_kwargs):
+ pass
+
+ self._ctx.set_info_callback(do_nothing)
+
+
+class ClientTLSOptionsFactory(object):
+ """Factory for Twisted ClientTLSOptions that are used to make connections
+ to remote servers for federation."""
+
+ def __init__(self, config):
+ self._ignore_certificate_validation = config.tls_ignore_certificate_validation
+
+ def get_options(self, host):
+ if self._ignore_certificate_validation:
+ return ClientTLSOptionsNoCertVerification(
+ unicode(host),
+ OpenSSLCertificateOptions(verify=False).getContext()
+ )
+ else:
+ return optionsForClientTLS(unicode(host))
diff --git a/synapse/crypto/keyclient.py b/synapse/crypto/keyclient.py
index f1fd488b90..8e48f8a9cf 100644
--- a/synapse/crypto/keyclient.py
+++ b/synapse/crypto/keyclient.py
@@ -28,14 +28,14 @@ KEY_API_V1 = b"/_matrix/key/v1/"
@defer.inlineCallbacks
-def fetch_server_key(server_name, ssl_context_factory, path=KEY_API_V1):
+def fetch_server_key(server_name, tls_client_options_factory, path=KEY_API_V1):
"""Fetch the keys for a remote server."""
factory = SynapseKeyClientFactory()
factory.path = path
factory.host = server_name
endpoint = matrix_federation_endpoint(
- reactor, server_name, ssl_context_factory, timeout=30
+ reactor, server_name, tls_client_options_factory, timeout=30
)
for i in range(5):
diff --git a/synapse/crypto/keyring.py b/synapse/crypto/keyring.py
index 9b17ef0a08..9a1bb211fb 100644
--- a/synapse/crypto/keyring.py
+++ b/synapse/crypto/keyring.py
@@ -510,7 +510,7 @@ class Keyring(object):
continue
(response, tls_certificate) = yield fetch_server_key(
- server_name, self.hs.tls_server_context_factory,
+ server_name, self.tls_client_options_factory,
path=(b"/_matrix/key/v2/server/%s" % (
urllib.quote(requested_key_id),
)).encode("ascii"),
@@ -653,7 +653,7 @@ class Keyring(object):
# Try to fetch the key from the remote server.
(response, tls_certificate) = yield fetch_server_key(
- server_name, self.hs.tls_server_context_factory
+ server_name, self.hs.tls_client_options_factory
)
# Check the response.
|
