Skip to content
Snippets Groups Projects
Commit efe7b317 authored by Richard van der Hoff's avatar Richard van der Hoff
Browse files

Fix federation connections to literal IP addresses 

turns out we need a shiny version of service_identity to enforce this
correctly.
parent d11c634c
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
synapse/crypto/context_factory.py
+ 8
5
View file @ efe7b317
...@@ -17,7 +17,7 @@ import logging ...@@ -17,7 +17,7 @@ import logging
import idna import idna
from service_identity import VerificationError from service_identity import VerificationError
from service_identity.pyopenssl import verify_hostname from service_identity.pyopenssl import verify_hostname, verify_ip_address
from zope.interface import implementer from zope.interface import implementer
from OpenSSL import SSL, crypto from OpenSSL import SSL, crypto
...@@ -156,7 +156,7 @@ class ConnectionVerifier(object): ...@@ -156,7 +156,7 @@ class ConnectionVerifier(object):
if isIPAddress(hostname) or isIPv6Address(hostname): if isIPAddress(hostname) or isIPv6Address(hostname):
self._hostnameBytes = hostname.encode('ascii') self._hostnameBytes = hostname.encode('ascii')
self._sendSNI = False self._is_ip_address = True
else: else:
# twisted's ClientTLSOptions falls back to the stdlib impl here if # twisted's ClientTLSOptions falls back to the stdlib impl here if
# idna is not installed, but points out that lacks support for # idna is not installed, but points out that lacks support for
...@@ -164,17 +164,20 @@ class ConnectionVerifier(object): ...@@ -164,17 +164,20 @@ class ConnectionVerifier(object):
# #
# We can rely on having idna. # We can rely on having idna.
self._hostnameBytes = idna.encode(hostname) self._hostnameBytes = idna.encode(hostname)
self._sendSNI = True self._is_ip_address = False
self._hostnameASCII = self._hostnameBytes.decode("ascii") self._hostnameASCII = self._hostnameBytes.decode("ascii")
def verify_context_info_cb(self, ssl_connection, where): def verify_context_info_cb(self, ssl_connection, where):
if where & SSL.SSL_CB_HANDSHAKE_START and self._sendSNI: if where & SSL.SSL_CB_HANDSHAKE_START and not self._is_ip_address:
ssl_connection.set_tlsext_host_name(self._hostnameBytes) ssl_connection.set_tlsext_host_name(self._hostnameBytes)
if where & SSL.SSL_CB_HANDSHAKE_DONE and self._verify_certs: if where & SSL.SSL_CB_HANDSHAKE_DONE and self._verify_certs:
try: try:
verify_hostname(ssl_connection, self._hostnameASCII) if self._is_ip_address:
verify_ip_address(ssl_connection, self._hostnameASCII)
else:
verify_hostname(ssl_connection, self._hostnameASCII)
except VerificationError: except VerificationError:
f = Failure() f = Failure()
tls_protocol = ssl_connection.get_app_data() tls_protocol = ssl_connection.get_app_data()
......
synapse/python_dependencies.py
+ 3
1
View file @ efe7b317
...@@ -45,7 +45,9 @@ REQUIREMENTS = [ ...@@ -45,7 +45,9 @@ REQUIREMENTS = [
"signedjson>=1.0.0", "signedjson>=1.0.0",
"pynacl>=1.2.1", "pynacl>=1.2.1",
"idna>=2", "idna>=2",
"service_identity>=16.0.0",
# validating SSL certs for IP addresses requires service_identity 18.1.
"service_identity>=18.1.0",
# our logcontext handling relies on the ability to cancel inlineCallbacks # our logcontext handling relies on the ability to cancel inlineCallbacks
# (https://twistedmatrix.com/trac/ticket/4632) which landed in Twisted 18.7. # (https://twistedmatrix.com/trac/ticket/4632) which landed in Twisted 18.7.
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment