Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[9740] ESMTPSender: dont't force TLSv1.0 by default #1225

Merged
merged 8 commits into from
Mar 28, 2020
Merged

[9740] ESMTPSender: dont't force TLSv1.0 by default #1225

merged 8 commits into from
Mar 28, 2020

Conversation

mmilata
Copy link
Contributor

@mmilata mmilata commented Mar 3, 2020
edited
Loading

Hello, I've also been bitten by matrix-org/synapse#6211 and would like to see if the fix is acceptable for inclusion in Twisted.

Contributor Checklist:

@mmilata mmilata changed the title [9470] ESMTPSender: dont't force TLSv1.0 by default [9740] ESMTPSender: dont't force TLSv1.0 by default Mar 3, 2020
glyph
glyph requested changes Mar 8, 2020
View reviewed changes
Copy link
Member

@glyph glyph left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi Martin!

Thanks so much for your contribution to Twisted.

The correct fix, here, if you want proper TLS security on twisted.mail connections, would be to drop ClientContextFactory entirely, and use optionsForClientTLS. Dropping TLS 1.0 as a protocol version is good, but security-wise this change is almost meaningless, as ssl.ClientContextFactory doesn't verify certificates, or hostnames, or really provide ''any'' proper security properties. (Separate to this change, it should be deprecated and removed from Twisted entirely.)

Dropping in optionsForClientTLS here should not be much harder that just fixing the protocol version, and it would have the added benefit that it would use a whole slew of ''other'' better security attributes as well. Would you mind modifying your patch to do that?

Thanks!

@mmilata
Copy link
Contributor Author

mmilata commented Mar 10, 2020
edited
Loading

@glyph thanks for quick review. I tried to replace the ClientContextFactory ctor call with optionsForClientTLS, however it requires the server hostname which I'm not quite sure how to pass to it without breaking the public interface. PTAL

Anyway the TLS negotiation goes further now before rejecting my server's self-signed cert:laughing:. Oh well, probably a good time to replace it with LetsEncrypt one.

@mmilata
Copy link
Contributor Author

mmilata commented Mar 12, 2020

Installed LE certificate & now matrix-synapse can send emails through postfix configured to only use TLS1.1 or higher with this patch.

glyph
glyph reviewed Mar 17, 2020
View reviewed changes
@glyph
Copy link
Member

glyph commented Mar 17, 2020

Thanks again for your contribution! I think the compatibility break is acceptable given the security needs here. Please do re-add the review keyword so we notice it on twistedmatrix.com when you've addressed feedback, so we find it again.

rodrigc
rodrigc approved these changes Mar 28, 2020
View reviewed changes
Copy link
Contributor

@rodrigc rodrigc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think @mmilata has addressed the review feedback, and this PR now looks OK.

@rodrigc rodrigc merged commit d329445 into twisted:trunk Mar 28, 2020
@mmilata
Copy link
Contributor Author

mmilata commented Mar 28, 2020

Thanks @glyph & @rodrigc!

@mmilata mmilata deleted the 9470-esmtp-sender-tls-version branch March 28, 2020 01:29
@rodrigc
Copy link
Contributor

rodrigc commented Mar 28, 2020

@mmilata thank you for contributing to Twisted!

@Neustradamus
Copy link

Neustradamus commented Apr 25, 2020
edited
Loading

@rodrigc: Can you release a new version with this fix?

Several projects like Matrix wait you...
cc @clokep, @Half-Shot

@mmilata: Thanks!

Ticket: matrix-org/synapse#6211

@rodrigc
Copy link
Contributor

rodrigc commented May 5, 2020

@Neustradamus I am not the release manager for Twisted, so cannot release a new version. @hawkowl is the release manager for Twisted.

@Neustradamus
Copy link

@rodrigc: Thanks for your reply! :)

It is really important because a lot of people/servers have this problem...

@hawkowl: Thanks a lot in advance for a new release with this important fix.

@Neustradamus
Copy link

Dear @gjabell, @madpsy, @fadenb, @neilisfragile, @thereapman, @sbiberhofer, @henry-nicolas, @plamenh, @richvdh, @vmario89, @ChatCloud, @MisterAlainDev, @schwukas, @kaiyou, @babolivier, @mmilata, @clokep, @n3m3s1s, @Half-Shot, @exarkun, @anoadragon453: A good news, there are some "20.11.0" test-builds here:

Time to test :)

cc: @glyph.

@richvdh
Copy link
Contributor

richvdh commented Oct 14, 2020

@Neustradamus you've already been asked not to mention the entire world over at matrix-org/synapse#6211. If people are interested they will follow the issue themselves. Don't be obnoxious.

@Neustradamus
Copy link

Good news the 21.02.0 RC1 is out!

@Neustradamus
Copy link

Good news, the 21.02.0 stable version is out!

Thanks a lot to @mmilata for this very important contribution and @rodrigc, @glyph and @twisted (Twisted Matrix Labs) team.

This was referenced Mar 2, 2021
Closed
Closed
@thegcat thegcat mentioned this pull request Jun 2, 2021
Open
@mguentner mguentner mentioned this pull request Aug 21, 2021
Merged
12 tasks
@mguentner mguentner mentioned this pull request Aug 22, 2021
Merged
13 tasks
mguentner added a commit to mguentner/nixpkgs that referenced this pull request Aug 22, 2021
@mguentner
matrix-synapse: override twisted 20.3.0 -> 21.7.0
e9d6163 
see upstream issues:

twisted/twisted#1225 (comment)
matrix-org/synapse#6211
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@glyph glyph glyph requested changes

@rodrigc rodrigc rodrigc approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@mmilata @glyph @rodrigc @Neustradamus @richvdh