allow self-signed certificates

This commit is contained in:
Jeroen 2018-06-26 20:41:05 +02:00
parent 07b4f88de9
commit b7f34ee348
3 changed files with 37 additions and 36 deletions

View File

@ -47,10 +47,6 @@ class TlsConfig(Config):
self.tls_fingerprints = config["tls_fingerprints"] self.tls_fingerprints = config["tls_fingerprints"]
self.tls_ignore_certificate_validation = config.get(
"tls_ignore_certificate_validation", False
)
# Check that our own certificate is included in the list of fingerprints # Check that our own certificate is included in the list of fingerprints
# and include it if it is not. # and include it if it is not.
x509_certificate_bytes = crypto.dump_certificate( x509_certificate_bytes = crypto.dump_certificate(
@ -77,8 +73,6 @@ class TlsConfig(Config):
tls_private_key_path = base_key_name + ".tls.key" tls_private_key_path = base_key_name + ".tls.key"
tls_dh_params_path = base_key_name + ".tls.dh" tls_dh_params_path = base_key_name + ".tls.dh"
tls_ignore_certificate_validation = False
return """\ return """\
# PEM encoded X509 certificate for TLS. # PEM encoded X509 certificate for TLS.
# You can replace the self-signed certificate that synapse # You can replace the self-signed certificate that synapse
@ -123,11 +117,6 @@ class TlsConfig(Config):
# #
tls_fingerprints: [] tls_fingerprints: []
# tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}] # tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}]
# Ignore certificate validation for TLS client connections to other
# homeservers using federation. Don't enable this in a production
# environment, unless you know what you are doing!
tls_ignore_certificate_validation: %(tls_ignore_certificate_validation)s
""" % locals() """ % locals()
def read_tls_certificate(self, cert_path): def read_tls_certificate(self, cert_path):

View File

@ -11,18 +11,19 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
from twisted.internet import ssl
from OpenSSL import SSL, crypto
from twisted.internet._sslverify import _defaultCurveName, ClientTLSOptions, \
OpenSSLCertificateOptions, optionsForClientTLS
import logging import logging
import idna
from OpenSSL import SSL, crypto
from twisted.internet.ssl import ContextFactory, CertificateOptions
from twisted.internet._sslverify import _defaultCurveName, _tolerateErrors
from twisted.internet.interfaces import IOpenSSLClientConnectionCreator
from zope.interface import implementer
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
class ServerContextFactory(ssl.ContextFactory): class ServerContextFactory(ContextFactory):
"""Factory for PyOpenSSL SSL contexts that are used to handle incoming """Factory for PyOpenSSL SSL contexts that are used to handle incoming
connections and to make connections to remote servers.""" connections and to make connections to remote servers."""
@ -51,18 +52,31 @@ class ServerContextFactory(ssl.ContextFactory):
return self._context return self._context
class ClientTLSOptionsNoCertVerification(ClientTLSOptions): @implementer(IOpenSSLClientConnectionCreator)
"""Redefinition of ClientTLSOptions to completely ignore certificate class ClientTLSOptions(object):
validation. Should be kept in sync with the original class in Twisted. """
This version of ClientTLSOptions is only intended for development use.""" Client creator for TLS without certificate identity verification. This is a
copy of twisted.internet._sslverify.ClientTLSOptions with the identity
verification left out. For documentation, see the twisted documentation.
"""
def __init__(self, *args, **kwargs): def __init__(self, hostname, ctx):
super(ClientTLSOptionsNoCertVerification, self).__init__(*args, **kwargs) self._ctx = ctx
self._hostname = hostname
self._hostnameBytes = idna.encode(hostname)
ctx.set_info_callback(
_tolerateErrors(self._identityVerifyingInfoCallback)
)
def do_nothing(*_args, **_kwargs): def clientConnectionForTLS(self, tlsProtocol):
pass context = self._ctx
connection = SSL.Connection(context, None)
connection.set_app_data(tlsProtocol)
return connection
self._ctx.set_info_callback(do_nothing) def _identityVerifyingInfoCallback(self, connection, where, ret):
if where & SSL.SSL_CB_HANDSHAKE_START:
connection.set_tlsext_host_name(self._hostnameBytes)
class ClientTLSOptionsFactory(object): class ClientTLSOptionsFactory(object):
@ -70,13 +84,11 @@ class ClientTLSOptionsFactory(object):
to remote servers for federation.""" to remote servers for federation."""
def __init__(self, config): def __init__(self, config):
self._ignore_certificate_validation = config.tls_ignore_certificate_validation # We don't use config options yet
pass
def get_options(self, host): def get_options(self, host):
if self._ignore_certificate_validation: return ClientTLSOptions(
return ClientTLSOptionsNoCertVerification(
unicode(host), unicode(host),
OpenSSLCertificateOptions(verify=False).getContext() CertificateOptions(verify=False).getContext()
) )
else:
return optionsForClientTLS(unicode(host))

View File

@ -65,7 +65,7 @@ def matrix_federation_endpoint(reactor, destination, tls_client_options_factory=
else: else:
def transport_endpoint(reactor, host, port, timeout): def transport_endpoint(reactor, host, port, timeout):
return wrapClientTLS( return wrapClientTLS(
tls_client_options_factory.get_options(unicode(host)), tls_client_options_factory.get_options(host),
HostnameEndpoint(reactor, host, port, timeout=timeout)) HostnameEndpoint(reactor, host, port, timeout=timeout))
default_port = 8448 default_port = 8448