Share SSL options for well-known requests

2025-12-15 23:13:50 -05:00 · 2019-07-30 17:42:56 +01:00 · 2019-07-30 17:42:56 +01:00 · a9bcae9f50
commit a9bcae9f50
parent d4f91e7e9f
3 changed files with 19 additions and 17 deletions
--- a/synapse/crypto/context_factory.py
+++ b/synapse/crypto/context_factory.py
@ -31,6 +31,7 @@ from twisted.internet.ssl import (
    platformTrust,
 )
 from twisted.python.failure import Failure
+from twisted.web.iweb import IPolicyForHTTPS

 logger = logging.getLogger(__name__)

@ -74,6 +75,7 @@ class ServerContextFactory(ContextFactory):
        return self._context


+@implementer(IPolicyForHTTPS)
 class ClientTLSOptionsFactory(object):
    """Factory for Twisted SSLClientConnectionCreators that are used to make connections
    to remote servers for federation.
@ -146,6 +148,12 @@ class ClientTLSOptionsFactory(object):
            f = Failure()
            tls_protocol.failVerification(f)

+    def creatorForNetloc(self, hostname, port):
+        """Implements the IPolicyForHTTPS interace so that this can be passed
+        directly to agents.
+        """
+        return self.get_options(hostname)
+

@implementer(IOpenSSLClientConnectionCreator)
 class SSLClientConnectionCreator(object):
--- a/synapse/http/federation/matrix_federation_agent.py
+++ b/synapse/http/federation/matrix_federation_agent.py
@ -64,10 +64,6 @@ class MatrixFederationAgent(object):
        tls_client_options_factory (ClientTLSOptionsFactory|None):
            factory to use for fetching client tls options, or none to disable TLS.

-        _well_known_tls_policy (IPolicyForHTTPS|None):
-            TLS policy to use for fetching .well-known files. None to use a default
-            (browser-like) implementation.
-
        _srv_resolver (SrvResolver|None):
            SRVResolver impl to use for looking up SRV records. None to use a default
            implementation.
@ -81,7 +77,6 @@ class MatrixFederationAgent(object):
        self,
        reactor,
        tls_client_options_factory,
-        _well_known_tls_policy=None,
        _srv_resolver=None,
        _well_known_cache=well_known_cache,
    ):
@ -98,13 +93,12 @@ class MatrixFederationAgent(object):
        self._pool.maxPersistentPerHost = 5
        self._pool.cachedConnectionTimeout = 2 * 60

-        agent_args = {}
-        if _well_known_tls_policy is not None:
-            # the param is called 'contextFactory', but actually passing a
-            # contextfactory is deprecated, and it expects an IPolicyForHTTPS.
-            agent_args["contextFactory"] = _well_known_tls_policy
        _well_known_agent = RedirectAgent(
-            Agent(self._reactor, pool=self._pool, **agent_args)
+            Agent(
+                self._reactor,
+                pool=self._pool,
+                contextFactory=tls_client_options_factory,
+            )
        )
        self._well_known_agent = _well_known_agent