Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Share SSL options for well-known requests #5794

Merged
merged 2 commits into from
Jul 31, 2019
Merged

Share SSL options for well-known requests #5794

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a9bcae9
Share SSL options for well-known requests
erikjohnston Jul 30, 2019
3b7a35a
Newsfile
erikjohnston Jul 31, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/5794.misc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Improve performance when making `.well-known` requests by sharing the SSL options between requests.
8 changes: 8 additions & 0 deletions synapse/crypto/context_factory.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@
platformTrust,
)
from twisted.python.failure import Failure
from twisted.web.iweb import IPolicyForHTTPS

logger = logging.getLogger(__name__)

Expand Down Expand Up @@ -74,6 +75,7 @@ def getContext(self):
return self._context


@implementer(IPolicyForHTTPS)
class ClientTLSOptionsFactory(object):
"""Factory for Twisted SSLClientConnectionCreators that are used to make connections
to remote servers for federation.
Expand Down Expand Up @@ -146,6 +148,12 @@ def _context_info_cb(ssl_connection, where, ret):
f = Failure()
tls_protocol.failVerification(f)

def creatorForNetloc(self, hostname, port):
"""Implements the IPolicyForHTTPS interace so that this can be passed
directly to agents.
"""
return self.get_options(hostname)


@implementer(IOpenSSLClientConnectionCreator)
class SSLClientConnectionCreator(object):
Expand Down
16 changes: 5 additions & 11 deletions synapse/http/federation/matrix_federation_agent.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,10 +64,6 @@ class MatrixFederationAgent(object):
tls_client_options_factory (ClientTLSOptionsFactory|None):
factory to use for fetching client tls options, or none to disable TLS.

_well_known_tls_policy (IPolicyForHTTPS|None):
TLS policy to use for fetching .well-known files. None to use a default
(browser-like) implementation.

_srv_resolver (SrvResolver|None):
SRVResolver impl to use for looking up SRV records. None to use a default
implementation.
Expand All @@ -81,7 +77,6 @@ def __init__(
self,
reactor,
tls_client_options_factory,
_well_known_tls_policy=None,
_srv_resolver=None,
_well_known_cache=well_known_cache,
):
Expand All @@ -98,13 +93,12 @@ def __init__(
self._pool.maxPersistentPerHost = 5
self._pool.cachedConnectionTimeout = 2 * 60

agent_args = {}
if _well_known_tls_policy is not None:
# the param is called 'contextFactory', but actually passing a
# contextfactory is deprecated, and it expects an IPolicyForHTTPS.
agent_args["contextFactory"] = _well_known_tls_policy
_well_known_agent = RedirectAgent(
Agent(self._reactor, pool=self._pool, **agent_args)
Agent(
self._reactor,
pool=self._pool,
contextFactory=tls_client_options_factory,
)
)
self._well_known_agent = _well_known_agent

Expand Down
12 changes: 6 additions & 6 deletions tests/http/federation/test_matrix_federation_agent.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,15 +75,13 @@ def setUp(self):

config_dict = default_config("test", parse=False)
config_dict["federation_custom_ca_list"] = [get_test_ca_cert_file()]
# config_dict["trusted_key_servers"] = []

self._config = config = HomeServerConfig()
config.parse_config_dict(config_dict, "", "")

self.agent = MatrixFederationAgent(
reactor=self.reactor,
tls_client_options_factory=ClientTLSOptionsFactory(config),
_well_known_tls_policy=TrustingTLSPolicyForHTTPS(),
_srv_resolver=self.mock_resolver,
_well_known_cache=self.well_known_cache,
)
Expand Down Expand Up @@ -691,16 +689,18 @@ def test_get_well_known_unsigned_cert(self):
not signed by a CA
"""

# we use the same test server as the other tests, but use an agent
# with _well_known_tls_policy left to the default, which will not
# trust it (since the presented cert is signed by a test CA)
# we use the same test server as the other tests, but use an agent with
# the config left to the default, which will not trust it (since the
# presented cert is signed by a test CA)

self.mock_resolver.resolve_service.side_effect = lambda _: []
self.reactor.lookups["testserv"] = "1.2.3.4"

config = default_config("test", parse=True)

agent = MatrixFederationAgent(
reactor=self.reactor,
tls_client_options_factory=ClientTLSOptionsFactory(self._config),
tls_client_options_factory=ClientTLSOptionsFactory(config),
_srv_resolver=self.mock_resolver,
_well_known_cache=self.well_known_cache,
)
Expand Down