Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Cache config options in SSL verification #9255

Merged
merged 3 commits into from
Jan 28, 2021
Merged

Cache config options in SSL verification #9255

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
77a10f8
Cache config options in SSL verification
erikjohnston Jan 28, 2021
25e7a9a
Newsfile
erikjohnston Jan 28, 2021
fd9c83d
Remove spurious changelog
erikjohnston Jan 28, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/9238.misc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Add ratelimited to 3PID `/requestToken` API.
clokep marked this conversation as resolved.
Show resolved Hide resolved
1 change: 1 addition & 0 deletions changelog.d/9255.misc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Minor performance improvement during TLS handshake.
13 changes: 9 additions & 4 deletions synapse/crypto/context_factory.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,19 +125,24 @@ def __init__(self, config):
self._no_verify_ssl_context = _no_verify_ssl.getContext()
self._no_verify_ssl_context.set_info_callback(_context_info_cb)

def get_options(self, host: bytes):
self._should_verify = self._config.federation_verify_certificates

self._federation_certificate_verification_whitelist = (
self._config.federation_certificate_verification_whitelist
)

def get_options(self, host: bytes):
# IPolicyForHTTPS.get_options takes bytes, but we want to compare
# against the str whitelist. The hostnames in the whitelist are already
# IDNA-encoded like the hosts will be here.
ascii_host = host.decode("ascii")

# Check if certificate verification has been enabled
should_verify = self._config.federation_verify_certificates
should_verify = self._should_verify
clokep marked this conversation as resolved.
Show resolved Hide resolved

# Check if we've disabled certificate verification for this host
if should_verify:
for regex in self._config.federation_certificate_verification_whitelist:
if self._should_verify:
for regex in self._federation_certificate_verification_whitelist:
if regex.match(ascii_host):
should_verify = False
break
Expand Down