Merge branch 'daniel/insecureclient' into develop
commit
2c746382e0
|
@ -221,7 +221,7 @@ class SynapseHomeServer(HomeServer):
|
||||||
listener_config,
|
listener_config,
|
||||||
root_resource,
|
root_resource,
|
||||||
),
|
),
|
||||||
self.tls_context_factory,
|
self.tls_server_context_factory,
|
||||||
interface=bind_address
|
interface=bind_address
|
||||||
)
|
)
|
||||||
else:
|
else:
|
||||||
|
@ -365,7 +365,6 @@ def setup(config_options):
|
||||||
Args:
|
Args:
|
||||||
config_options_options: The options passed to Synapse. Usually
|
config_options_options: The options passed to Synapse. Usually
|
||||||
`sys.argv[1:]`.
|
`sys.argv[1:]`.
|
||||||
should_run (bool): Whether to start the reactor.
|
|
||||||
|
|
||||||
Returns:
|
Returns:
|
||||||
HomeServer
|
HomeServer
|
||||||
|
@ -388,7 +387,7 @@ def setup(config_options):
|
||||||
|
|
||||||
events.USE_FROZEN_DICTS = config.use_frozen_dicts
|
events.USE_FROZEN_DICTS = config.use_frozen_dicts
|
||||||
|
|
||||||
tls_context_factory = context_factory.ServerContextFactory(config)
|
tls_server_context_factory = context_factory.ServerContextFactory(config)
|
||||||
|
|
||||||
database_engine = create_engine(config.database_config["name"])
|
database_engine = create_engine(config.database_config["name"])
|
||||||
config.database_config["args"]["cp_openfun"] = database_engine.on_new_connection
|
config.database_config["args"]["cp_openfun"] = database_engine.on_new_connection
|
||||||
|
@ -396,7 +395,7 @@ def setup(config_options):
|
||||||
hs = SynapseHomeServer(
|
hs = SynapseHomeServer(
|
||||||
config.server_name,
|
config.server_name,
|
||||||
db_config=config.database_config,
|
db_config=config.database_config,
|
||||||
tls_context_factory=tls_context_factory,
|
tls_server_context_factory=tls_server_context_factory,
|
||||||
config=config,
|
config=config,
|
||||||
content_addr=config.content_addr,
|
content_addr=config.content_addr,
|
||||||
version_string=version_string,
|
version_string=version_string,
|
||||||
|
|
|
@ -42,6 +42,14 @@ class TlsConfig(Config):
|
||||||
config.get("tls_dh_params_path"), "tls_dh_params"
|
config.get("tls_dh_params_path"), "tls_dh_params"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
# This config option applies to non-federation HTTP clients
|
||||||
|
# (e.g. for talking to recaptcha, identity servers, and such)
|
||||||
|
# It should never be used in production, and is intended for
|
||||||
|
# use only when running tests.
|
||||||
|
self.use_insecure_ssl_client = config.get(
|
||||||
|
"i_really_want_to_ignore_ssl_certs_when_i_am_an_https_client_even_"
|
||||||
|
"though_it_is_woefully_insecure_because_i_am_testing_i_promise", False)
|
||||||
|
|
||||||
def default_config(self, config_dir_path, server_name):
|
def default_config(self, config_dir_path, server_name):
|
||||||
base_key_name = os.path.join(config_dir_path, server_name)
|
base_key_name = os.path.join(config_dir_path, server_name)
|
||||||
|
|
||||||
|
|
|
@ -463,7 +463,7 @@ class Keyring(object):
|
||||||
continue
|
continue
|
||||||
|
|
||||||
(response, tls_certificate) = yield fetch_server_key(
|
(response, tls_certificate) = yield fetch_server_key(
|
||||||
server_name, self.hs.tls_context_factory,
|
server_name, self.hs.tls_server_context_factory,
|
||||||
path=(b"/_matrix/key/v2/server/%s" % (
|
path=(b"/_matrix/key/v2/server/%s" % (
|
||||||
urllib.quote(requested_key_id),
|
urllib.quote(requested_key_id),
|
||||||
)).encode("ascii"),
|
)).encode("ascii"),
|
||||||
|
@ -597,7 +597,7 @@ class Keyring(object):
|
||||||
# Try to fetch the key from the remote server.
|
# Try to fetch the key from the remote server.
|
||||||
|
|
||||||
(response, tls_certificate) = yield fetch_server_key(
|
(response, tls_certificate) = yield fetch_server_key(
|
||||||
server_name, self.hs.tls_context_factory
|
server_name, self.hs.tls_server_context_factory
|
||||||
)
|
)
|
||||||
|
|
||||||
# Check the response.
|
# Check the response.
|
||||||
|
|
|
@ -19,7 +19,6 @@ from ._base import BaseHandler
|
||||||
from synapse.api.constants import LoginType
|
from synapse.api.constants import LoginType
|
||||||
from synapse.types import UserID
|
from synapse.types import UserID
|
||||||
from synapse.api.errors import LoginError, Codes
|
from synapse.api.errors import LoginError, Codes
|
||||||
from synapse.http.client import SimpleHttpClient
|
|
||||||
from synapse.util.async import run_on_reactor
|
from synapse.util.async import run_on_reactor
|
||||||
|
|
||||||
from twisted.web.client import PartialDownloadError
|
from twisted.web.client import PartialDownloadError
|
||||||
|
@ -187,7 +186,7 @@ class AuthHandler(BaseHandler):
|
||||||
# TODO: get this from the homeserver rather than creating a new one for
|
# TODO: get this from the homeserver rather than creating a new one for
|
||||||
# each request
|
# each request
|
||||||
try:
|
try:
|
||||||
client = SimpleHttpClient(self.hs)
|
client = self.hs.get_simple_http_client()
|
||||||
resp_body = yield client.post_urlencoded_get_json(
|
resp_body = yield client.post_urlencoded_get_json(
|
||||||
self.hs.config.recaptcha_siteverify_api,
|
self.hs.config.recaptcha_siteverify_api,
|
||||||
args={
|
args={
|
||||||
|
|
|
@ -12,6 +12,8 @@
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
from OpenSSL import SSL
|
||||||
|
from OpenSSL.SSL import VERIFY_NONE
|
||||||
|
|
||||||
from synapse.api.errors import CodeMessageException
|
from synapse.api.errors import CodeMessageException
|
||||||
from synapse.util.logcontext import preserve_context_over_fn
|
from synapse.util.logcontext import preserve_context_over_fn
|
||||||
|
@ -19,7 +21,7 @@ import synapse.metrics
|
||||||
|
|
||||||
from canonicaljson import encode_canonical_json
|
from canonicaljson import encode_canonical_json
|
||||||
|
|
||||||
from twisted.internet import defer, reactor
|
from twisted.internet import defer, reactor, ssl
|
||||||
from twisted.web.client import (
|
from twisted.web.client import (
|
||||||
Agent, readBody, FileBodyProducer, PartialDownloadError,
|
Agent, readBody, FileBodyProducer, PartialDownloadError,
|
||||||
HTTPConnectionPool,
|
HTTPConnectionPool,
|
||||||
|
@ -59,7 +61,12 @@ class SimpleHttpClient(object):
|
||||||
# 'like a browser'
|
# 'like a browser'
|
||||||
pool = HTTPConnectionPool(reactor)
|
pool = HTTPConnectionPool(reactor)
|
||||||
pool.maxPersistentPerHost = 10
|
pool.maxPersistentPerHost = 10
|
||||||
self.agent = Agent(reactor, pool=pool)
|
self.agent = Agent(
|
||||||
|
reactor,
|
||||||
|
pool=pool,
|
||||||
|
connectTimeout=15,
|
||||||
|
contextFactory=hs.get_http_client_context_factory()
|
||||||
|
)
|
||||||
self.version_string = hs.version_string
|
self.version_string = hs.version_string
|
||||||
|
|
||||||
def request(self, method, uri, *args, **kwargs):
|
def request(self, method, uri, *args, **kwargs):
|
||||||
|
@ -252,3 +259,18 @@ def _print_ex(e):
|
||||||
_print_ex(ex)
|
_print_ex(ex)
|
||||||
else:
|
else:
|
||||||
logger.exception(e)
|
logger.exception(e)
|
||||||
|
|
||||||
|
|
||||||
|
class WoefullyInsecureContextFactory(ssl.ContextFactory):
|
||||||
|
"""
|
||||||
|
Factory for PyOpenSSL SSL contexts which does absolutely no certificate verification.
|
||||||
|
|
||||||
|
Do not use this unless you really, really hate your users.
|
||||||
|
"""
|
||||||
|
|
||||||
|
def __init__(self):
|
||||||
|
self._context = SSL.Context(SSL.SSLv23_METHOD)
|
||||||
|
self._context.set_verify(VERIFY_NONE, lambda *_: None)
|
||||||
|
|
||||||
|
def getContext(self, hostname, port):
|
||||||
|
return self._context
|
||||||
|
|
|
@ -57,14 +57,14 @@ incoming_responses_counter = metrics.register_counter(
|
||||||
|
|
||||||
class MatrixFederationEndpointFactory(object):
|
class MatrixFederationEndpointFactory(object):
|
||||||
def __init__(self, hs):
|
def __init__(self, hs):
|
||||||
self.tls_context_factory = hs.tls_context_factory
|
self.tls_server_context_factory = hs.tls_server_context_factory
|
||||||
|
|
||||||
def endpointForURI(self, uri):
|
def endpointForURI(self, uri):
|
||||||
destination = uri.netloc
|
destination = uri.netloc
|
||||||
|
|
||||||
return matrix_federation_endpoint(
|
return matrix_federation_endpoint(
|
||||||
reactor, destination, timeout=10,
|
reactor, destination, timeout=10,
|
||||||
ssl_context_factory=self.tls_context_factory
|
ssl_context_factory=self.tls_server_context_factory
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -19,7 +19,9 @@
|
||||||
# partial one for unit test mocking.
|
# partial one for unit test mocking.
|
||||||
|
|
||||||
# Imports required for the default HomeServer() implementation
|
# Imports required for the default HomeServer() implementation
|
||||||
|
from twisted.web.client import BrowserLikePolicyForHTTPS
|
||||||
from synapse.federation import initialize_http_replication
|
from synapse.federation import initialize_http_replication
|
||||||
|
from synapse.http.client import SimpleHttpClient, WoefullyInsecureContextFactory
|
||||||
from synapse.notifier import Notifier
|
from synapse.notifier import Notifier
|
||||||
from synapse.api.auth import Auth
|
from synapse.api.auth import Auth
|
||||||
from synapse.handlers import Handlers
|
from synapse.handlers import Handlers
|
||||||
|
@ -87,6 +89,8 @@ class BaseHomeServer(object):
|
||||||
'pusherpool',
|
'pusherpool',
|
||||||
'event_builder_factory',
|
'event_builder_factory',
|
||||||
'filtering',
|
'filtering',
|
||||||
|
'http_client_context_factory',
|
||||||
|
'simple_http_client',
|
||||||
]
|
]
|
||||||
|
|
||||||
def __init__(self, hostname, **kwargs):
|
def __init__(self, hostname, **kwargs):
|
||||||
|
@ -174,6 +178,16 @@ class HomeServer(BaseHomeServer):
|
||||||
def build_auth(self):
|
def build_auth(self):
|
||||||
return Auth(self)
|
return Auth(self)
|
||||||
|
|
||||||
|
def build_http_client_context_factory(self):
|
||||||
|
config = self.get_config()
|
||||||
|
return (
|
||||||
|
WoefullyInsecureContextFactory() if config.use_insecure_ssl_client
|
||||||
|
else BrowserLikePolicyForHTTPS()
|
||||||
|
)
|
||||||
|
|
||||||
|
def build_simple_http_client(self):
|
||||||
|
return SimpleHttpClient(self)
|
||||||
|
|
||||||
def build_v1auth(self):
|
def build_v1auth(self):
|
||||||
orf = Auth(self)
|
orf = Auth(self)
|
||||||
# Matrix spec makes no reference to what HTTP status code is returned,
|
# Matrix spec makes no reference to what HTTP status code is returned,
|
||||||
|
|
Loading…
Reference in New Issue