Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use federation blacklist for requests to identity servers #5935

Closed
anoadragon453 opened this issue Aug 30, 2019 · 7 comments

Comments

@anoadragon453
Copy link
Member

commented Aug 30, 2019

Now that we're getting rid of the concept of trusted identity servers, we need to make sure that people can't try and poke at internal addresses when sending identity server-related requests.

The plan is to reuse the federation blacklist for these requests which by default blocks internal CIDR ranges.

@anoadragon453 anoadragon453 self-assigned this Aug 30, 2019
@anoadragon453 anoadragon453 added this to Holding Pen in Homeserver Task Board via automation Aug 30, 2019
@anoadragon453

This comment has been minimized.

Copy link
Member Author

commented Aug 30, 2019

@richvdh @erikjohnston Should matrixfederationclient be used for these requests so we get blacklisting for free? Or does that muddy the definition of the client?

@richvdh

This comment has been minimized.

Copy link
Member

commented Sep 2, 2019

Previously, using the MatrixFederationClient would have meant that you'd get .well-known and SRV routing, which you don't want for an IS. But now I'm not so sure. @erikjohnston do your recent changes to the agent mean that https urls skip the federation routing?

@erikjohnston

This comment has been minimized.

Copy link
Member

commented Sep 2, 2019

do your recent changes to the agent mean that https urls skip the federation routing?

That should be the case, though I haven't tested it.

@richvdh

This comment has been minimized.

Copy link
Member

commented Sep 2, 2019

I guess another question: do we want the options relating to TLS certs to also apply to connections to the IS? (I think we probably do?)

@anoadragon453

This comment has been minimized.

Copy link
Member Author

commented Sep 5, 2019

Would the federation_domain_whitelist config option affect this?

richvdh added a commit that referenced this issue Sep 23, 2019
…rs (#6000)

Uses a SimpleHttpClient instance equipped with the federation_ip_range_blacklist list for requests to identity servers provided by user input. Does not use a blacklist when contacting identity servers specified by account_threepid_delegates. The homeserver trusts the latter and we don't want to prevent homeserver admins from specifying delegates that are on internal IP addresses.

Fixes #5935
@richvdh

This comment has been minimized.

Copy link
Member

commented Sep 23, 2019

fixed by #6000

@richvdh richvdh closed this Sep 23, 2019
Homeserver Task Board automation moved this from Holding Pen to Done Sep 23, 2019
@richvdh

This comment has been minimized.

Copy link
Member

commented Sep 23, 2019

(which did nothing to address the tls certs stuff: you'll have to use a real cert on your ID server)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
3 participants
You can’t perform that action at this time.