From 77a10f868cd05fef123ca43b3cebf834cc704326 Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Thu, 28 Jan 2021 16:31:20 +0000 Subject: [PATCH 1/3] Cache config options in SSL verification Reading from the config object is *slow*. --- synapse/crypto/context_factory.py | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/synapse/crypto/context_factory.py b/synapse/crypto/context_factory.py index 74b67b230a3e..14b21796d9ab 100644 --- a/synapse/crypto/context_factory.py +++ b/synapse/crypto/context_factory.py @@ -125,19 +125,24 @@ def __init__(self, config): self._no_verify_ssl_context = _no_verify_ssl.getContext() self._no_verify_ssl_context.set_info_callback(_context_info_cb) - def get_options(self, host: bytes): + self._should_verify = self._config.federation_verify_certificates + + self._federation_certificate_verification_whitelist = ( + self._config.federation_certificate_verification_whitelist + ) + def get_options(self, host: bytes): # IPolicyForHTTPS.get_options takes bytes, but we want to compare # against the str whitelist. The hostnames in the whitelist are already # IDNA-encoded like the hosts will be here. ascii_host = host.decode("ascii") # Check if certificate verification has been enabled - should_verify = self._config.federation_verify_certificates + should_verify = self._should_verify # Check if we've disabled certificate verification for this host - if should_verify: - for regex in self._config.federation_certificate_verification_whitelist: + if self._should_verify: + for regex in self._federation_certificate_verification_whitelist: if regex.match(ascii_host): should_verify = False break From 25e7a9aa26cb6cccf77b8917e22065ff24bc862f Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Thu, 28 Jan 2021 16:34:46 +0000 Subject: [PATCH 2/3] Newsfile --- changelog.d/9238.misc | 1 + changelog.d/9255.misc | 1 + 2 files changed, 2 insertions(+) create mode 100644 changelog.d/9238.misc create mode 100644 changelog.d/9255.misc diff --git a/changelog.d/9238.misc b/changelog.d/9238.misc new file mode 100644 index 000000000000..143a3e14f523 --- /dev/null +++ b/changelog.d/9238.misc @@ -0,0 +1 @@ +Add ratelimited to 3PID `/requestToken` API. diff --git a/changelog.d/9255.misc b/changelog.d/9255.misc new file mode 100644 index 000000000000..f723b8ec4f62 --- /dev/null +++ b/changelog.d/9255.misc @@ -0,0 +1 @@ +Minor performance improvement during TLS handshake. From fd9c83d080d5f1ac0f5c3e69c427f0c185aacc9f Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Thu, 28 Jan 2021 17:13:47 +0000 Subject: [PATCH 3/3] Remove spurious changelog --- changelog.d/9238.misc | 1 - 1 file changed, 1 deletion(-) delete mode 100644 changelog.d/9238.misc diff --git a/changelog.d/9238.misc b/changelog.d/9238.misc deleted file mode 100644 index 143a3e14f523..000000000000 --- a/changelog.d/9238.misc +++ /dev/null @@ -1 +0,0 @@ -Add ratelimited to 3PID `/requestToken` API.