Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

send SNI for federation requests #3439

Merged
merged 13 commits into from
Aug 10, 2018
Merged

send SNI for federation requests #3439

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
3d60585
send SNI for federation requests
Jun 24, 2018
07b4f88
formatting changes for pep8
Jun 25, 2018
b7f34ee
allow self-signed certificates
Jun 26, 2018
26651b0
towncrier changelog
Jun 26, 2018
95341a8
take idna implementation from twisted
Jun 26, 2018
b5e157d
Merge branch 'develop' into send_sni_for_federation_requests
Jul 9, 2018
505530f
Merge remote-tracking branch 'upstream/develop' into send_sni_for_fed…
Jul 14, 2018
7041cd8
Merge branch 'develop' into send_sni_for_federation_requests
richvdh Jul 27, 2018
8e3f75b
fix accidental removal of hs
Jul 27, 2018
2903e65
fix isort
Jul 29, 2018
d5c0ce4
updated docstring for ServerContextFactory
Aug 8, 2018
6489934
include private functions from twisted
Aug 9, 2018
2e9c73e
more generic conversion of str/bytes to unicode
Aug 9, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/1491.feature
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Add support for the SNI extension to federation TLS connections
2 changes: 2 additions & 0 deletions synapse/app/client_reader.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -168,11 +168,13 @@ def start(config_options):
database_engine = create_engine(config.database_config)

tls_server_context_factory = context_factory.ServerContextFactory(config)
tls_client_options_factory = context_factory.ClientTLSOptionsFactory(config)

ss = ClientReaderServer(
config.server_name,
db_config=config.database_config,
tls_server_context_factory=tls_server_context_factory,
tls_client_options_factory=tls_client_options_factory,
config=config,
version_string="Synapse/" + get_version_string(synapse),
database_engine=database_engine,
Expand Down
2 changes: 2 additions & 0 deletions synapse/app/event_creator.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -174,11 +174,13 @@ def start(config_options):
database_engine = create_engine(config.database_config)

tls_server_context_factory = context_factory.ServerContextFactory(config)
tls_client_options_factory = context_factory.ClientTLSOptionsFactory(config)

ss = EventCreatorServer(
config.server_name,
db_config=config.database_config,
tls_server_context_factory=tls_server_context_factory,
tls_client_options_factory=tls_client_options_factory,
config=config,
version_string="Synapse/" + get_version_string(synapse),
database_engine=database_engine,
Expand Down
2 changes: 2 additions & 0 deletions synapse/app/federation_reader.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -143,11 +143,13 @@ def start(config_options):
database_engine = create_engine(config.database_config)

tls_server_context_factory = context_factory.ServerContextFactory(config)
tls_client_options_factory = context_factory.ClientTLSOptionsFactory(config)

ss = FederationReaderServer(
config.server_name,
db_config=config.database_config,
tls_server_context_factory=tls_server_context_factory,
tls_client_options_factory=tls_client_options_factory,
config=config,
version_string="Synapse/" + get_version_string(synapse),
database_engine=database_engine,
Expand Down
2 changes: 2 additions & 0 deletions synapse/app/federation_sender.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -186,11 +186,13 @@ def start(config_options):
config.send_federation = True

tls_server_context_factory = context_factory.ServerContextFactory(config)
tls_client_options_factory = context_factory.ClientTLSOptionsFactory(config)

ps = FederationSenderServer(
config.server_name,
db_config=config.database_config,
tls_server_context_factory=tls_server_context_factory,
tls_client_options_factory=tls_client_options_factory,
config=config,
version_string="Synapse/" + get_version_string(synapse),
database_engine=database_engine,
Expand Down
2 changes: 2 additions & 0 deletions synapse/app/frontend_proxy.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -208,11 +208,13 @@ def start(config_options):
database_engine = create_engine(config.database_config)

tls_server_context_factory = context_factory.ServerContextFactory(config)
tls_client_options_factory = context_factory.ClientTLSOptionsFactory(config)

ss = FrontendProxyServer(
config.server_name,
db_config=config.database_config,
tls_server_context_factory=tls_server_context_factory,
tls_client_options_factory=tls_client_options_factory,
config=config,
version_string="Synapse/" + get_version_string(synapse),
database_engine=database_engine,
Expand Down
2 changes: 2 additions & 0 deletions synapse/app/homeserver.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -331,6 +331,7 @@ def setup(config_options):
events.USE_FROZEN_DICTS = config.use_frozen_dicts

tls_server_context_factory = context_factory.ServerContextFactory(config)
tls_client_options_factory = context_factory.ClientTLSOptionsFactory(config)

database_engine = create_engine(config.database_config)
config.database_config["args"]["cp_openfun"] = database_engine.on_new_connection
Expand All @@ -339,6 +340,7 @@ def setup(config_options):
config.server_name,
db_config=config.database_config,
tls_server_context_factory=tls_server_context_factory,
tls_client_options_factory=tls_client_options_factory,
config=config,
version_string="Synapse/" + get_version_string(synapse),
database_engine=database_engine,
Expand Down
2 changes: 2 additions & 0 deletions synapse/app/media_repository.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -155,11 +155,13 @@ def start(config_options):
database_engine = create_engine(config.database_config)

tls_server_context_factory = context_factory.ServerContextFactory(config)
tls_client_options_factory = context_factory.ClientTLSOptionsFactory(config)

ss = MediaRepositoryServer(
config.server_name,
db_config=config.database_config,
tls_server_context_factory=tls_server_context_factory,
tls_client_options_factory=tls_client_options_factory,
config=config,
version_string="Synapse/" + get_version_string(synapse),
database_engine=database_engine,
Expand Down
2 changes: 2 additions & 0 deletions synapse/app/user_dir.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -214,11 +214,13 @@ def start(config_options):
config.update_user_directory = True

tls_server_context_factory = context_factory.ServerContextFactory(config)
tls_client_options_factory = context_factory.ClientTLSOptionsFactory(config)

ps = UserDirectoryServer(
config.server_name,
db_config=config.database_config,
tls_server_context_factory=tls_server_context_factory,
tls_client_options_factory=tls_client_options_factory,
config=config,
version_string="Synapse/" + get_version_string(synapse),
database_engine=database_engine,
Expand Down
86 changes: 82 additions & 4 deletions synapse/crypto/context_factory.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,19 +11,22 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

import logging

from zope.interface import implementer

from OpenSSL import SSL, crypto
from twisted.internet import ssl
from twisted.internet._sslverify import _defaultCurveName
from twisted.internet.interfaces import IOpenSSLClientConnectionCreator
from twisted.internet.ssl import CertificateOptions, ContextFactory
from twisted.python.failure import Failure

logger = logging.getLogger(__name__)


class ServerContextFactory(ssl.ContextFactory):
class ServerContextFactory(ContextFactory):
"""Factory for PyOpenSSL SSL contexts that are used to handle incoming
connections and to make connections to remote servers."""
connections."""

def __init__(self, config):
self._context = SSL.Context(SSL.SSLv23_METHOD)
Expand All @@ -48,3 +51,78 @@ def configure_context(context, config):

def getContext(self):
return self._context


def _idnaBytes(text):
"""
Convert some text typed by a human into some ASCII bytes. This is a
copy of twisted.internet._idna._idnaBytes. For documentation, see the
twisted documentation.
"""
try:
import idna
except ImportError:
return text.encode("idna")
else:
return idna.encode(text)


def _tolerateErrors(wrapped):
"""
Wrap up an info_callback for pyOpenSSL so that if something goes wrong
the error is immediately logged and the connection is dropped if possible.
This is a copy of twisted.internet._sslverify._tolerateErrors. For
documentation, see the twisted documentation.
"""

def infoCallback(connection, where, ret):
try:
return wrapped(connection, where, ret)
except: # noqa: E722, taken from the twisted implementation
f = Failure()
logger.exception("Error during info_callback")
connection.get_app_data().failVerification(f)

return infoCallback


@implementer(IOpenSSLClientConnectionCreator)
class ClientTLSOptions(object):
"""
Client creator for TLS without certificate identity verification. This is a
copy of twisted.internet._sslverify.ClientTLSOptions with the identity
verification left out. For documentation, see the twisted documentation.
"""

def __init__(self, hostname, ctx):
self._ctx = ctx
self._hostname = hostname
self._hostnameBytes = _idnaBytes(hostname)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

might be nice to copy _idnaBytes and _tolerateErrors (both of which seem to be trivial) rather than using the private impls from twisted.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree it's not best practice to use private implementations. But, if I just copy _tolerateErrors, the pep8 test fails as it contains a bare "except:" statement. I'm not familiar enough with twisted / openssl to know which errors this try/except clause should catch. I can change this to "except Exception:" to both catch all errors and pass the pep8 test, but that doesn't seem right either. However it is the easiest solution. What do you think?

This is the _tolerateErrors code:

def _tolerateErrors(wrapped):
    def infoCallback(connection, where, ret):
        try:
            return wrapped(connection, where, ret)
        except:
            f = Failure()
            logger.exception("Error during info_callback")
            connection.get_app_data().failVerification(f)
    return infoCallback

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can write # noqa: E722 to disable the pep8 test. See https://github.com/matrix-org/synapse/blob/develop/synapse/handlers/message.py#L583 for an example.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's an even easier solution. I'll add this comment.

ctx.set_info_callback(
_tolerateErrors(self._identityVerifyingInfoCallback)
)

def clientConnectionForTLS(self, tlsProtocol):
context = self._ctx
connection = SSL.Connection(context, None)
connection.set_app_data(tlsProtocol)
return connection

def _identityVerifyingInfoCallback(self, connection, where, ret):
if where & SSL.SSL_CB_HANDSHAKE_START:
connection.set_tlsext_host_name(self._hostnameBytes)


class ClientTLSOptionsFactory(object):
"""Factory for Twisted ClientTLSOptions that are used to make connections
to remote servers for federation."""

def __init__(self, config):
# We don't use config options yet
pass

def get_options(self, host):
return ClientTLSOptions(
host.decode('utf-8'),
CertificateOptions(verify=False).getContext()
)
4 changes: 2 additions & 2 deletions synapse/crypto/keyclient.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,14 +30,14 @@


@defer.inlineCallbacks
def fetch_server_key(server_name, ssl_context_factory, path=KEY_API_V1):
def fetch_server_key(server_name, tls_client_options_factory, path=KEY_API_V1):
"""Fetch the keys for a remote server."""

factory = SynapseKeyClientFactory()
factory.path = path
factory.host = server_name
endpoint = matrix_federation_endpoint(
reactor, server_name, ssl_context_factory, timeout=30
reactor, server_name, tls_client_options_factory, timeout=30
)

for i in range(5):
Expand Down
4 changes: 2 additions & 2 deletions synapse/crypto/keyring.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -512,7 +512,7 @@ def get_server_verify_key_v2_direct(self, server_name, key_ids):
continue

(response, tls_certificate) = yield fetch_server_key(
server_name, self.hs.tls_server_context_factory,
server_name, self.hs.tls_client_options_factory,
path=(b"/_matrix/key/v2/server/%s" % (
urllib.quote(requested_key_id),
)).encode("ascii"),
Expand Down Expand Up @@ -655,7 +655,7 @@ def get_server_verify_key_v1_direct(self, server_name, key_ids):
# Try to fetch the key from the remote server.

(response, tls_certificate) = yield fetch_server_key(
server_name, self.hs.tls_server_context_factory
server_name, self.hs.tls_client_options_factory
)

# Check the response.
Expand Down
12 changes: 6 additions & 6 deletions synapse/http/endpoint.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@

logger = logging.getLogger(__name__)


SERVER_CACHE = {}

# our record of an individual server which can be tried to reach a destination.
Expand Down Expand Up @@ -103,15 +102,16 @@ def parse_and_validate_server_name(server_name):
return host, port


def matrix_federation_endpoint(reactor, destination, ssl_context_factory=None,
def matrix_federation_endpoint(reactor, destination, tls_client_options_factory=None,
timeout=None):
"""Construct an endpoint for the given matrix destination.

Args:
reactor: Twisted reactor.
destination (bytes): The name of the server to connect to.
ssl_context_factory (twisted.internet.ssl.ContextFactory): Factory
which generates SSL contexts to use for TLS.
tls_client_options_factory
(synapse.crypto.context_factory.ClientTLSOptionsFactory):
Factory which generates TLS options for client connections.
timeout (int): connection timeout in seconds
"""

Expand All @@ -122,13 +122,13 @@ def matrix_federation_endpoint(reactor, destination, ssl_context_factory=None,
if timeout is not None:
endpoint_kw_args.update(timeout=timeout)

if ssl_context_factory is None:
if tls_client_options_factory is None:
transport_endpoint = HostnameEndpoint
default_port = 8008
else:
def transport_endpoint(reactor, host, port, timeout):
return wrapClientTLS(
ssl_context_factory,
tls_client_options_factory.get_options(host),
HostnameEndpoint(reactor, host, port, timeout=timeout))
default_port = 8448

Expand Down
4 changes: 2 additions & 2 deletions synapse/http/matrixfederationclient.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,14 +61,14 @@

class MatrixFederationEndpointFactory(object):
def __init__(self, hs):
self.tls_server_context_factory = hs.tls_server_context_factory
self.tls_client_options_factory = hs.tls_client_options_factory

def endpointForURI(self, uri):
destination = uri.netloc

return matrix_federation_endpoint(
reactor, destination, timeout=10,
ssl_context_factory=self.tls_server_context_factory
tls_client_options_factory=self.tls_client_options_factory
)


Expand Down
2 changes: 2 additions & 0 deletions tests/utils.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,7 @@ def setup_test_homeserver(name="test", datastore=None, config=None, reactor=None
database_engine=db_engine,
room_list_handler=object(),
tls_server_context_factory=Mock(),
tls_client_options_factory=Mock(),
reactor=reactor,
**kargs
)
Expand All @@ -138,6 +139,7 @@ def setup_test_homeserver(name="test", datastore=None, config=None, reactor=None
database_engine=db_engine,
room_list_handler=object(),
tls_server_context_factory=Mock(),
tls_client_options_factory=Mock(),
reactor=reactor,
**kargs
)
Expand Down