forked from MirrorHub/synapse
Merge branch 'rav/tls_config_logging_fixes' into rav/tls_cert/work
This commit is contained in:
commit
be794c7cf7
3 changed files with 39 additions and 22 deletions
1
changelog.d/4615.misc
Normal file
1
changelog.d/4615.misc
Normal file
|
@ -0,0 +1 @@
|
||||||
|
Logging improvements around TLS certs
|
|
@ -213,13 +213,11 @@ def refresh_certificate(hs):
|
||||||
Refresh the TLS certificates that Synapse is using by re-reading them from
|
Refresh the TLS certificates that Synapse is using by re-reading them from
|
||||||
disk and updating the TLS context factories to use them.
|
disk and updating the TLS context factories to use them.
|
||||||
"""
|
"""
|
||||||
logging.info("Loading certificate from disk...")
|
|
||||||
hs.config.read_certificate_from_disk()
|
hs.config.read_certificate_from_disk()
|
||||||
hs.tls_server_context_factory = context_factory.ServerContextFactory(hs.config)
|
hs.tls_server_context_factory = context_factory.ServerContextFactory(hs.config)
|
||||||
logging.info("Certificate loaded.")
|
|
||||||
|
|
||||||
if hs._listening_services:
|
if hs._listening_services:
|
||||||
logging.info("Updating context factories...")
|
logger.info("Updating context factories...")
|
||||||
for i in hs._listening_services:
|
for i in hs._listening_services:
|
||||||
# When you listenSSL, it doesn't make an SSL port but a TCP one with
|
# When you listenSSL, it doesn't make an SSL port but a TCP one with
|
||||||
# a TLS wrapping factory around the factory you actually want to get
|
# a TLS wrapping factory around the factory you actually want to get
|
||||||
|
@ -234,7 +232,7 @@ def refresh_certificate(hs):
|
||||||
False,
|
False,
|
||||||
i.factory.wrappedFactory
|
i.factory.wrappedFactory
|
||||||
)
|
)
|
||||||
logging.info("Context factories updated.")
|
logger.info("Context factories updated.")
|
||||||
|
|
||||||
|
|
||||||
def start(hs, listeners=None):
|
def start(hs, listeners=None):
|
||||||
|
|
|
@ -25,7 +25,7 @@ from OpenSSL import crypto
|
||||||
|
|
||||||
from synapse.config._base import Config
|
from synapse.config._base import Config
|
||||||
|
|
||||||
logger = logging.getLogger()
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
class TlsConfig(Config):
|
class TlsConfig(Config):
|
||||||
|
@ -110,20 +110,10 @@ class TlsConfig(Config):
|
||||||
"""
|
"""
|
||||||
Read the certificates from disk.
|
Read the certificates from disk.
|
||||||
"""
|
"""
|
||||||
self.tls_certificate = self.read_tls_certificate(self.tls_certificate_file)
|
self.tls_certificate = self.read_tls_certificate()
|
||||||
|
|
||||||
# Check if it is self-signed, and issue a warning if so.
|
|
||||||
if self.tls_certificate.get_issuer() == self.tls_certificate.get_subject():
|
|
||||||
warnings.warn(
|
|
||||||
(
|
|
||||||
"Self-signed TLS certificates will not be accepted by Synapse 1.0. "
|
|
||||||
"Please either provide a valid certificate, or use Synapse's ACME "
|
|
||||||
"support to provision one."
|
|
||||||
)
|
|
||||||
)
|
|
||||||
|
|
||||||
if not self.no_tls:
|
if not self.no_tls:
|
||||||
self.tls_private_key = self.read_tls_private_key(self.tls_private_key_file)
|
self.tls_private_key = self.read_tls_private_key()
|
||||||
|
|
||||||
self.tls_fingerprints = list(self._original_tls_fingerprints)
|
self.tls_fingerprints = list(self._original_tls_fingerprints)
|
||||||
|
|
||||||
|
@ -250,10 +240,38 @@ class TlsConfig(Config):
|
||||||
% locals()
|
% locals()
|
||||||
)
|
)
|
||||||
|
|
||||||
def read_tls_certificate(self, cert_path):
|
def read_tls_certificate(self):
|
||||||
cert_pem = self.read_file(cert_path, "tls_certificate")
|
"""Reads the TLS certificate from the configured file, and returns it
|
||||||
return crypto.load_certificate(crypto.FILETYPE_PEM, cert_pem)
|
|
||||||
|
|
||||||
def read_tls_private_key(self, private_key_path):
|
Also checks if it is self-signed, and warns if so
|
||||||
private_key_pem = self.read_file(private_key_path, "tls_private_key")
|
|
||||||
|
Returns:
|
||||||
|
OpenSSL.crypto.X509: the certificate
|
||||||
|
"""
|
||||||
|
cert_path = self.tls_certificate_file
|
||||||
|
logger.info("Loading TLS certificate from %s", cert_path)
|
||||||
|
cert_pem = self.read_file(cert_path, "tls_certificate_path")
|
||||||
|
cert = crypto.load_certificate(crypto.FILETYPE_PEM, cert_pem)
|
||||||
|
|
||||||
|
# Check if it is self-signed, and issue a warning if so.
|
||||||
|
if cert.get_issuer() == cert.get_subject():
|
||||||
|
warnings.warn(
|
||||||
|
(
|
||||||
|
"Self-signed TLS certificates will not be accepted by Synapse 1.0. "
|
||||||
|
"Please either provide a valid certificate, or use Synapse's ACME "
|
||||||
|
"support to provision one."
|
||||||
|
)
|
||||||
|
)
|
||||||
|
|
||||||
|
return cert
|
||||||
|
|
||||||
|
def read_tls_private_key(self):
|
||||||
|
"""Reads the TLS private key from the configured file, and returns it
|
||||||
|
|
||||||
|
Returns:
|
||||||
|
OpenSSL.crypto.PKey: the private key
|
||||||
|
"""
|
||||||
|
private_key_path = self.tls_private_key_file
|
||||||
|
logger.info("Loading TLS key from %s", private_key_path)
|
||||||
|
private_key_pem = self.read_file(private_key_path, "tls_private_key_path")
|
||||||
return crypto.load_privatekey(crypto.FILETYPE_PEM, private_key_pem)
|
return crypto.load_privatekey(crypto.FILETYPE_PEM, private_key_pem)
|
||||||
|
|
Loading…
Reference in a new issue