tileradotorg/synapse
1
0
Fork 0
forked from MirrorHub/synapse
Code Pull requests Activity

remove the tls_certificate_chain_path param and simply support tls_certificate_path pointing to a file containing a chain of certificates

Browse source
This commit is contained in:
Matthew Hodgson 2015-07-09 00:45:41 +01:00
parent 8ad2d2d1cb
commit fb8d2862c1
2 changed files with 10 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
synapse/config/tls.py
View file

@ -25,16 +25,9 @@ GENERATE_DH_PARAMS = False
class TlsConfig(Config): class TlsConfig(Config):
def read_config(self, config): def read_config(self, config):
self.tls_certificate = self.read_tls_certificate( self.tls_certificate = self.read_tls_certificate(
config.get("tls_certificate_path"), config.get("tls_certificate_path")
"tls_certificate"
) )
self.tls_certificate_file = config.get("tls_certificate_path");
tls_certificate_chain_path = config.get("tls_certificate_chain_path")
if tls_certificate_chain_path and os.path.exists(tls_certificate_chain_path):
self.tls_certificate_chain_file = tls_certificate_chain_path
else:
self.tls_certificate_chain = None
self.no_tls = config.get("no_tls", False) self.no_tls = config.get("no_tls", False)
@ -53,22 +46,17 @@ class TlsConfig(Config):
base_key_name = os.path.join(config_dir_path, server_name) base_key_name = os.path.join(config_dir_path, server_name)
tls_certificate_path = base_key_name + ".tls.crt" tls_certificate_path = base_key_name + ".tls.crt"
tls_certificate_chain_path = base_key_name + ".tls.chain.crt"
tls_private_key_path = base_key_name + ".tls.key" tls_private_key_path = base_key_name + ".tls.key"
tls_dh_params_path = base_key_name + ".tls.dh" tls_dh_params_path = base_key_name + ".tls.dh"
return """\ return """\
# PEM encoded X509 certificate for TLS # PEM encoded X509 certificate for TLS.
# You can replace the self-signed certificate that synapse
# autogenerates on launch with your own SSL certificate + key pair
# if you like. Any required intermediary certificates can be
# appended after the primary certificate in hierarchical order.
tls_certificate_path: "%(tls_certificate_path)s" tls_certificate_path: "%(tls_certificate_path)s"
# PEM encoded X509 intermediary certificate file for TLS (optional)
# This *must* be a concatenation of the tls_certificate pointed to
# by tls_certificate_path followed by the intermediary certificates
# in hierarchical order. If specified this option overrides the
# tls_certificate_path parameter.
#
# tls_certificate_chain_path: "%(tls_certificate_chain_path)s"
# PEM encoded private key for TLS # PEM encoded private key for TLS
tls_private_key_path: "%(tls_private_key_path)s" tls_private_key_path: "%(tls_private_key_path)s"
@ -79,8 +67,8 @@ class TlsConfig(Config):
no_tls: False no_tls: False
""" % locals() """ % locals()
def read_tls_certificate(self, cert_path, config_name): def read_tls_certificate(self, cert_path):
cert_pem = self.read_file(cert_path, config_name) cert_pem = self.read_file(cert_path, "tls_certificate")
return crypto.load_certificate(crypto.FILETYPE_PEM, cert_pem) return crypto.load_certificate(crypto.FILETYPE_PEM, cert_pem)
def read_tls_private_key(self, private_key_path): def read_tls_private_key(self, private_key_path):

4
synapse/crypto/context_factory.py
View file

@ -37,9 +37,7 @@ class ServerContextFactory(ssl.ContextFactory):
except: except:
logger.exception("Failed to enable elliptic curve for TLS") logger.exception("Failed to enable elliptic curve for TLS")
context.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3) context.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)
context.use_certificate(config.tls_certificate) context.use_certificate_chain_file(config.tls_certificate_file)
if config.tls_certificate_chain_file:
context.use_certificate_chain_file(config.tls_certificate_chain_file)
if not config.no_tls: if not config.no_tls:
context.use_privatekey(config.tls_private_key) context.use_privatekey(config.tls_private_key)