Whitelist per domain
2 files changed, 16 insertions, 5 deletions
diff --git a/synapse/crypto/context_factory.py b/synapse/crypto/context_factory.py
index 96eeb862d1..b99159dbbd 100644
--- a/synapse/crypto/context_factory.py
+++ b/synapse/crypto/context_factory.py
@@ -127,8 +127,20 @@ class ClientTLSOptionsFactory(object):
to remote servers for federation."""
def __init__(self, config):
- self._options = CertificateOptions(verify=config.federation_verify_certificates)
+ # We don't use config options yet
+ self._options_validate = CertificateOptions(verify=True)
+ self._options_novalidate = CertificateOptions(verify=False)
- def get_options(self, host):
+ def get_options(self, host, config):
# Use _makeContext so that we get a fresh OpenSSL CTX each time.
- return ClientTLSOptions(host, self._options._makeContext())
+
+ # Check if certificate validation has been enabled
+ if config.federation_verify_certificates:
+ # Check if this host is whitelisted
+ if host in config.federation_certificate_validation_whitelist:
+ return ClientTLSOptions(host, self._options_novalidate._makeContext())
+
+ # Otherwise require validation
+ return ClientTLSOptions(host, self._options_validate._makeContext())
+
+ return ClientTLSOptions(host, self._options_novalidate._makeContext())
diff --git a/synapse/http/federation/matrix_federation_agent.py b/synapse/http/federation/matrix_federation_agent.py
index b254faa4e1..8985649227 100644
--- a/synapse/http/federation/matrix_federation_agent.py
+++ b/synapse/http/federation/matrix_federation_agent.py
@@ -148,9 +148,8 @@ class MatrixFederationAgent(object):
if self._tls_client_options_factory is None:
tls_options = None
else:
- # TODO: Check the server we're sending to here and change verify value if necessary
tls_options = self._tls_client_options_factory.get_options(
- res.tls_server_name.decode("ascii")
+ res.tls_server_name.decode("ascii"), self.hs.config,
)
# make sure that the Host header is set correctly
|
