forked from MirrorHub/synapse
add new optional config for tls_certificate_chain_path for folks with intermediary SSL certs
This commit is contained in:
parent
dfc74c30c9
commit
64afbe6ccd
2 changed files with 19 additions and 3 deletions
|
@ -25,7 +25,17 @@ GENERATE_DH_PARAMS = False
|
||||||
class TlsConfig(Config):
|
class TlsConfig(Config):
|
||||||
def read_config(self, config):
|
def read_config(self, config):
|
||||||
self.tls_certificate = self.read_tls_certificate(
|
self.tls_certificate = self.read_tls_certificate(
|
||||||
config.get("tls_certificate_path")
|
config.get("tls_certificate_path"),
|
||||||
|
"tls_certificate"
|
||||||
|
)
|
||||||
|
|
||||||
|
tls_certificate_chain_path =
|
||||||
|
config.get("tls_certificate_chain_path")
|
||||||
|
|
||||||
|
if tls_certificate_chain_path and os.path.exists(tls_certificate_chain_path):
|
||||||
|
self.tls_certificate_chain = self.read_tls_certificate(
|
||||||
|
config.get("tls_certificate_chain_path"),
|
||||||
|
"tls_certificate_chain"
|
||||||
)
|
)
|
||||||
|
|
||||||
self.no_tls = config.get("no_tls", False)
|
self.no_tls = config.get("no_tls", False)
|
||||||
|
@ -45,6 +55,7 @@ class TlsConfig(Config):
|
||||||
base_key_name = os.path.join(config_dir_path, server_name)
|
base_key_name = os.path.join(config_dir_path, server_name)
|
||||||
|
|
||||||
tls_certificate_path = base_key_name + ".tls.crt"
|
tls_certificate_path = base_key_name + ".tls.crt"
|
||||||
|
tls_certificate_chain_path = base_key_name + ".tls.chain.crt"
|
||||||
tls_private_key_path = base_key_name + ".tls.key"
|
tls_private_key_path = base_key_name + ".tls.key"
|
||||||
tls_dh_params_path = base_key_name + ".tls.dh"
|
tls_dh_params_path = base_key_name + ".tls.dh"
|
||||||
|
|
||||||
|
@ -52,6 +63,9 @@ class TlsConfig(Config):
|
||||||
# PEM encoded X509 certificate for TLS
|
# PEM encoded X509 certificate for TLS
|
||||||
tls_certificate_path: "%(tls_certificate_path)s"
|
tls_certificate_path: "%(tls_certificate_path)s"
|
||||||
|
|
||||||
|
# PEM encoded X509 intermediary certificate file for TLS (optional)
|
||||||
|
# tls_certificate_chain_path: "%(tls_certificate_chain_path)s"
|
||||||
|
|
||||||
# PEM encoded private key for TLS
|
# PEM encoded private key for TLS
|
||||||
tls_private_key_path: "%(tls_private_key_path)s"
|
tls_private_key_path: "%(tls_private_key_path)s"
|
||||||
|
|
||||||
|
@ -62,8 +76,8 @@ class TlsConfig(Config):
|
||||||
no_tls: False
|
no_tls: False
|
||||||
""" % locals()
|
""" % locals()
|
||||||
|
|
||||||
def read_tls_certificate(self, cert_path):
|
def read_tls_certificate(self, cert_path, config_name):
|
||||||
cert_pem = self.read_file(cert_path, "tls_certificate")
|
cert_pem = self.read_file(cert_path, config_name)
|
||||||
return crypto.load_certificate(crypto.FILETYPE_PEM, cert_pem)
|
return crypto.load_certificate(crypto.FILETYPE_PEM, cert_pem)
|
||||||
|
|
||||||
def read_tls_private_key(self, private_key_path):
|
def read_tls_private_key(self, private_key_path):
|
||||||
|
|
|
@ -38,6 +38,8 @@ class ServerContextFactory(ssl.ContextFactory):
|
||||||
logger.exception("Failed to enable eliptic curve for TLS")
|
logger.exception("Failed to enable eliptic curve for TLS")
|
||||||
context.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)
|
context.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)
|
||||||
context.use_certificate(config.tls_certificate)
|
context.use_certificate(config.tls_certificate)
|
||||||
|
if config.tls_certificate_chain:
|
||||||
|
context.use_certificate_chain_file(config.tls_certificate_chain)
|
||||||
|
|
||||||
if not config.no_tls:
|
if not config.no_tls:
|
||||||
context.use_privatekey(config.tls_private_key)
|
context.use_privatekey(config.tls_private_key)
|
||||||
|
|
Loading…
Reference in a new issue