From 54a6afeee3b1ae8f353edfdf1375aa73c1819e9e Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Thu, 28 Jan 2021 17:38:59 +0000 Subject: [PATCH] Cache config options in SSL verification (#9255) Reading from the config object is *slow*. --- changelog.d/9255.misc | 1 + synapse/crypto/context_factory.py | 13 +++++++++---- 2 files changed, 10 insertions(+), 4 deletions(-) create mode 100644 changelog.d/9255.misc diff --git a/changelog.d/9255.misc b/changelog.d/9255.misc new file mode 100644 index 000000000..f723b8ec4 --- /dev/null +++ b/changelog.d/9255.misc @@ -0,0 +1 @@ +Minor performance improvement during TLS handshake. diff --git a/synapse/crypto/context_factory.py b/synapse/crypto/context_factory.py index 74b67b230..14b21796d 100644 --- a/synapse/crypto/context_factory.py +++ b/synapse/crypto/context_factory.py @@ -125,19 +125,24 @@ class FederationPolicyForHTTPS: self._no_verify_ssl_context = _no_verify_ssl.getContext() self._no_verify_ssl_context.set_info_callback(_context_info_cb) - def get_options(self, host: bytes): + self._should_verify = self._config.federation_verify_certificates + self._federation_certificate_verification_whitelist = ( + self._config.federation_certificate_verification_whitelist + ) + + def get_options(self, host: bytes): # IPolicyForHTTPS.get_options takes bytes, but we want to compare # against the str whitelist. The hostnames in the whitelist are already # IDNA-encoded like the hosts will be here. ascii_host = host.decode("ascii") # Check if certificate verification has been enabled - should_verify = self._config.federation_verify_certificates + should_verify = self._should_verify # Check if we've disabled certificate verification for this host - if should_verify: - for regex in self._config.federation_certificate_verification_whitelist: + if self._should_verify: + for regex in self._federation_certificate_verification_whitelist: if regex.match(ascii_host): should_verify = False break