4 years ago · a9bcae9f50
--- a/synapse/crypto/context_factory.py
+++ b/synapse/crypto/context_factory.py
@@ -31,6 +31,7 @@ from twisted.internet.ssl import (
 
				     platformTrust,
			
 
				 )
			
 
				 from twisted.python.failure import Failure
			
 
				+from twisted.web.iweb import IPolicyForHTTPS
			
 
				 
			
 
				 logger = logging.getLogger(__name__)
			
 
				 
			
@@ -74,6 +75,7 @@ class ServerContextFactory(ContextFactory):
 
				         return self._context
			
 
				 
			
 
				 
			
 
				+@implementer(IPolicyForHTTPS)
			
 
				 class ClientTLSOptionsFactory(object):
			
 
				     """Factory for Twisted SSLClientConnectionCreators that are used to make connections
			
 
				     to remote servers for federation.
			
@@ -146,6 +148,12 @@ class ClientTLSOptionsFactory(object):
 
				             f = Failure()
			
 
				             tls_protocol.failVerification(f)
			
 
				 
			
 
				+    def creatorForNetloc(self, hostname, port):
			
 
				+        """Implements the IPolicyForHTTPS interace so that this can be passed
			
 
				+        directly to agents.
			
 
				+        """
			
 
				+        return self.get_options(hostname)
			
 
				+
			
 
				 
			
 
				 @implementer(IOpenSSLClientConnectionCreator)
			
 
				 class SSLClientConnectionCreator(object):
			
--- a/synapse/http/federation/matrix_federation_agent.py
+++ b/synapse/http/federation/matrix_federation_agent.py
@@ -64,10 +64,6 @@ class MatrixFederationAgent(object):
 
				         tls_client_options_factory (ClientTLSOptionsFactory|None):
			
 
				             factory to use for fetching client tls options, or none to disable TLS.
			
 
				 
			
 
				-        _well_known_tls_policy (IPolicyForHTTPS|None):
			
 
				-            TLS policy to use for fetching .well-known files. None to use a default
			
 
				-            (browser-like) implementation.
			
 
				-
			
 
				         _srv_resolver (SrvResolver|None):
			
 
				             SRVResolver impl to use for looking up SRV records. None to use a default
			
 
				             implementation.
			
@@ -81,7 +77,6 @@ class MatrixFederationAgent(object):
 
				         self,
			
 
				         reactor,
			
 
				         tls_client_options_factory,
			
 
				-        _well_known_tls_policy=None,
			
 
				         _srv_resolver=None,
			
 
				         _well_known_cache=well_known_cache,
			
 
				     ):
			
@@ -98,13 +93,12 @@ class MatrixFederationAgent(object):
 
				         self._pool.maxPersistentPerHost = 5
			
 
				         self._pool.cachedConnectionTimeout = 2 * 60
			
 
				 
			
 
				-        agent_args = {}
			
 
				-        if _well_known_tls_policy is not None:
			
 
				-            # the param is called 'contextFactory', but actually passing a
			
 
				-            # contextfactory is deprecated, and it expects an IPolicyForHTTPS.
			
 
				-            agent_args["contextFactory"] = _well_known_tls_policy
			
 
				         _well_known_agent = RedirectAgent(
			
 
				-            Agent(self._reactor, pool=self._pool, **agent_args)
			
 
				+            Agent(
			
 
				+                self._reactor,
			
 
				+                pool=self._pool,
			
 
				+                contextFactory=tls_client_options_factory,
			
 
				+            )
			
 
				         )
			
 
				         self._well_known_agent = _well_known_agent
			
 
				 
			
--- a/tests/http/federation/test_matrix_federation_agent.py
+++ b/tests/http/federation/test_matrix_federation_agent.py
@@ -75,7 +75,6 @@ class MatrixFederationAgentTests(TestCase):
 
				 
			
 
				         config_dict = default_config("test", parse=False)
			
 
				         config_dict["federation_custom_ca_list"] = [get_test_ca_cert_file()]
			
 
				-        # config_dict["trusted_key_servers"] = []
			
 
				 
			
 
				         self._config = config = HomeServerConfig()
			
 
				         config.parse_config_dict(config_dict, "", "")
			
@@ -83,7 +82,6 @@ class MatrixFederationAgentTests(TestCase):
 
				         self.agent = MatrixFederationAgent(
			
 
				             reactor=self.reactor,
			
 
				             tls_client_options_factory=ClientTLSOptionsFactory(config),
			
 
				-            _well_known_tls_policy=TrustingTLSPolicyForHTTPS(),
			
 
				             _srv_resolver=self.mock_resolver,
			
 
				             _well_known_cache=self.well_known_cache,
			
 
				         )
			
@@ -691,16 +689,18 @@ class MatrixFederationAgentTests(TestCase):
 
				         not signed by a CA
			
 
				         """
			
 
				 
			
 
				-        # we use the same test server as the other tests, but use an agent
			
 
				-        # with _well_known_tls_policy left to the default, which will not
			
 
				-        # trust it (since the presented cert is signed by a test CA)
			
 
				+        # we use the same test server as the other tests, but use an agent with
			
 
				+        # the config left to the default, which will not trust it (since the
			
 
				+        # presented cert is signed by a test CA)
			
 
				 
			
 
				         self.mock_resolver.resolve_service.side_effect = lambda _: []
			
 
				         self.reactor.lookups["testserv"] = "1.2.3.4"
			
 
				 
			
 
				+        config = default_config("test", parse=True)
			
 
				+
			
 
				         agent = MatrixFederationAgent(
			
 
				             reactor=self.reactor,
			
 
				-            tls_client_options_factory=ClientTLSOptionsFactory(self._config),
			
 
				+            tls_client_options_factory=ClientTLSOptionsFactory(config),
			
 
				             _srv_resolver=self.mock_resolver,
			
 
				             _well_known_cache=self.well_known_cache,
			
 
				         )