Merge pull request #272 from matrix-org/daniel/insecureclient

Allow configuration to ignore invalid SSL certs
2015-09-15 16:52:38 +01:00 · 2015-09-15 16:52:38 +01:00 · 2c8f16257a
commit 2c8f16257a
parent 1107e83b54 d4af08a167
7 changed files with 55 additions and 12 deletions
--- a/synapse/app/homeserver.py
+++ b/synapse/app/homeserver.py
@ -221,7 +221,7 @@ class SynapseHomeServer(HomeServer):
                    listener_config,
                    root_resource,
                ),
-                self.tls_context_factory,
+                self.tls_server_context_factory,
                interface=bind_address
            )
        else:
@ -365,7 +365,6 @@ def setup(config_options):
    Args:
        config_options_options: The options passed to Synapse. Usually
            `sys.argv[1:]`.
-        should_run (bool): Whether to start the reactor.

    Returns:
        HomeServer
@ -388,7 +387,7 @@ def setup(config_options):

    events.USE_FROZEN_DICTS = config.use_frozen_dicts

-    tls_context_factory = context_factory.ServerContextFactory(config)
+    tls_server_context_factory = context_factory.ServerContextFactory(config)

    database_engine = create_engine(config.database_config["name"])
    config.database_config["args"]["cp_openfun"] = database_engine.on_new_connection
@ -396,7 +395,7 @@ def setup(config_options):
    hs = SynapseHomeServer(
        config.server_name,
        db_config=config.database_config,
-        tls_context_factory=tls_context_factory,
+        tls_server_context_factory=tls_server_context_factory,
        config=config,
        content_addr=config.content_addr,
        version_string=version_string,
--- a/synapse/config/tls.py
+++ b/synapse/config/tls.py
@ -42,6 +42,14 @@ class TlsConfig(Config):
            config.get("tls_dh_params_path"), "tls_dh_params"
        )

+        # This config option applies to non-federation HTTP clients
+        # (e.g. for talking to recaptcha, identity servers, and such)
+        # It should never be used in production, and is intended for
+        # use only when running tests.
+        self.use_insecure_ssl_client_just_for_testing_do_not_use = config.get(
+            "use_insecure_ssl_client_just_for_testing_do_not_use"
+        )
+
    def default_config(self, config_dir_path, server_name):
        base_key_name = os.path.join(config_dir_path, server_name)

--- a/synapse/crypto/keyring.py
+++ b/synapse/crypto/keyring.py
@ -470,7 +470,7 @@ class Keyring(object):
                continue

            (response, tls_certificate) = yield fetch_server_key(
-                server_name, self.hs.tls_context_factory,
+                server_name, self.hs.tls_server_context_factory,
                path=(b"/_matrix/key/v2/server/%s" % (
                    urllib.quote(requested_key_id),
                )).encode("ascii"),
@ -604,7 +604,7 @@ class Keyring(object):
        # Try to fetch the key from the remote server.

        (response, tls_certificate) = yield fetch_server_key(
-            server_name, self.hs.tls_context_factory
+            server_name, self.hs.tls_server_context_factory
        )

        # Check the response.
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@ -19,7 +19,6 @@ from ._base import BaseHandler
 from synapse.api.constants import LoginType
 from synapse.types import UserID
 from synapse.api.errors import LoginError, Codes
-from synapse.http.client import SimpleHttpClient
 from synapse.util.async import run_on_reactor

 from twisted.web.client import PartialDownloadError
@ -187,7 +186,7 @@ class AuthHandler(BaseHandler):
        # TODO: get this from the homeserver rather than creating a new one for
        # each request
        try:
-            client = SimpleHttpClient(self.hs)
+            client = self.hs.get_simple_http_client()
            resp_body = yield client.post_urlencoded_get_json(
                self.hs.config.recaptcha_siteverify_api,
                args={
--- a/synapse/http/client.py
+++ b/synapse/http/client.py
@ -12,6 +12,8 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
+from OpenSSL import SSL
+from OpenSSL.SSL import VERIFY_NONE

 from synapse.api.errors import CodeMessageException
 from synapse.util.logcontext import preserve_context_over_fn
@ -19,7 +21,7 @@ import synapse.metrics

 from canonicaljson import encode_canonical_json

-from twisted.internet import defer, reactor
+from twisted.internet import defer, reactor, ssl
 from twisted.web.client import (
    Agent, readBody, FileBodyProducer, PartialDownloadError,
    HTTPConnectionPool,
@ -59,7 +61,12 @@ class SimpleHttpClient(object):
        # 'like a browser'
        pool = HTTPConnectionPool(reactor)
        pool.maxPersistentPerHost = 10
-        self.agent = Agent(reactor, pool=pool)
+        self.agent = Agent(
+            reactor,
+            pool=pool,
+            connectTimeout=15,
+            contextFactory=hs.get_http_client_context_factory()
+        )
        self.version_string = hs.version_string

    def request(self, method, uri, *args, **kwargs):
@ -252,3 +259,18 @@ def _print_ex(e):
            _print_ex(ex)
    else:
        logger.exception(e)
+
+
+class InsecureInterceptableContextFactory(ssl.ContextFactory):
+    """
+    Factory for PyOpenSSL SSL contexts which accepts any certificate for any domain.
+
+    Do not use this since it allows an attacker to intercept your communications.
+    """
+
+    def __init__(self):
+        self._context = SSL.Context(SSL.SSLv23_METHOD)
+        self._context.set_verify(VERIFY_NONE, lambda *_: None)
+
+    def getContext(self, hostname, port):
+        return self._context
--- a/synapse/http/matrixfederationclient.py
+++ b/synapse/http/matrixfederationclient.py
@ -57,14 +57,14 @@ incoming_responses_counter = metrics.register_counter(

 class MatrixFederationEndpointFactory(object):
    def __init__(self, hs):
-        self.tls_context_factory = hs.tls_context_factory
+        self.tls_server_context_factory = hs.tls_server_context_factory

    def endpointForURI(self, uri):
        destination = uri.netloc

        return matrix_federation_endpoint(
            reactor, destination, timeout=10,
-            ssl_context_factory=self.tls_context_factory
+            ssl_context_factory=self.tls_server_context_factory
        )


--- a/synapse/server.py
+++ b/synapse/server.py
@ -19,7 +19,9 @@
 # partial one for unit test mocking.

 # Imports required for the default HomeServer() implementation
+from twisted.web.client import BrowserLikePolicyForHTTPS
 from synapse.federation import initialize_http_replication
+from synapse.http.client import SimpleHttpClient,  InsecureInterceptableContextFactory
 from synapse.notifier import Notifier
 from synapse.api.auth import Auth
 from synapse.handlers import Handlers
@ -87,6 +89,8 @@ class BaseHomeServer(object):
        'pusherpool',
        'event_builder_factory',
        'filtering',
+        'http_client_context_factory',
+        'simple_http_client',
    ]

    def __init__(self, hostname, **kwargs):
@ -174,6 +178,17 @@ class HomeServer(BaseHomeServer):
    def build_auth(self):
        return Auth(self)

+    def build_http_client_context_factory(self):
+        config = self.get_config()
+        return (
+            InsecureInterceptableContextFactory()
+            if config.use_insecure_ssl_client_just_for_testing_do_not_use
+            else BrowserLikePolicyForHTTPS()
+        )
+
+    def build_simple_http_client(self):
+        return SimpleHttpClient(self)
+
    def build_v1auth(self):
        orf = Auth(self)
        # Matrix spec makes no reference to what HTTP status code is returned,