Require ECDH key exchange & remove dh_params (#4429)
* remove dh_params and set better cipher stringpull/4433/head
parent
83f335bedf
commit
23b0813599
|
@ -220,7 +220,7 @@ is configured to use TLS with a self-signed certificate. If you would like
|
||||||
to do initial test with a client without having to setup a reverse proxy,
|
to do initial test with a client without having to setup a reverse proxy,
|
||||||
you can temporarly use another certificate. (Note that a self-signed
|
you can temporarly use another certificate. (Note that a self-signed
|
||||||
certificate is fine for `Federation`_). You can do so by changing
|
certificate is fine for `Federation`_). You can do so by changing
|
||||||
``tls_certificate_path``, ``tls_private_key_path`` and ``tls_dh_params_path``
|
``tls_certificate_path`` and ``tls_private_key_path``
|
||||||
in ``homeserver.yaml``; alternatively, you can use a reverse-proxy, but be sure
|
in ``homeserver.yaml``; alternatively, you can use a reverse-proxy, but be sure
|
||||||
to read `Using a reverse proxy with Synapse`_ when doing so.
|
to read `Using a reverse proxy with Synapse`_ when doing so.
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
Synapse's cipher string has been updated to require ECDH key exchange. Configuring and generating dh_params is no longer required, and they will be ignored.
|
|
@ -9,9 +9,6 @@ tls_certificate_path: "/etc/matrix-synapse/homeserver.tls.crt"
|
||||||
# PEM encoded private key for TLS
|
# PEM encoded private key for TLS
|
||||||
tls_private_key_path: "/etc/matrix-synapse/homeserver.tls.key"
|
tls_private_key_path: "/etc/matrix-synapse/homeserver.tls.key"
|
||||||
|
|
||||||
# PEM dh parameters for ephemeral keys
|
|
||||||
tls_dh_params_path: "/etc/matrix-synapse/homeserver.tls.dh"
|
|
||||||
|
|
||||||
# Don't bind to the https port
|
# Don't bind to the https port
|
||||||
no_tls: False
|
no_tls: False
|
||||||
|
|
||||||
|
|
|
@ -1,9 +0,0 @@
|
||||||
2048-bit DH parameters taken from rfc3526
|
|
||||||
-----BEGIN DH PARAMETERS-----
|
|
||||||
MIIBCAKCAQEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
|
|
||||||
IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
|
|
||||||
awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
|
|
||||||
mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
|
|
||||||
fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
|
|
||||||
5RXSJhiY+gUQFXKOWoqsqmj//////////wIBAg==
|
|
||||||
-----END DH PARAMETERS-----
|
|
|
@ -4,7 +4,6 @@
|
||||||
|
|
||||||
tls_certificate_path: "/data/{{ SYNAPSE_SERVER_NAME }}.tls.crt"
|
tls_certificate_path: "/data/{{ SYNAPSE_SERVER_NAME }}.tls.crt"
|
||||||
tls_private_key_path: "/data/{{ SYNAPSE_SERVER_NAME }}.tls.key"
|
tls_private_key_path: "/data/{{ SYNAPSE_SERVER_NAME }}.tls.key"
|
||||||
tls_dh_params_path: "/data/{{ SYNAPSE_SERVER_NAME }}.tls.dh"
|
|
||||||
no_tls: {{ "True" if SYNAPSE_NO_TLS else "False" }}
|
no_tls: {{ "True" if SYNAPSE_NO_TLS else "False" }}
|
||||||
tls_fingerprints: []
|
tls_fingerprints: []
|
||||||
|
|
||||||
|
|
|
@ -14,7 +14,6 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
import os
|
import os
|
||||||
import subprocess
|
|
||||||
from hashlib import sha256
|
from hashlib import sha256
|
||||||
|
|
||||||
from unpaddedbase64 import encode_base64
|
from unpaddedbase64 import encode_base64
|
||||||
|
@ -23,8 +22,6 @@ from OpenSSL import crypto
|
||||||
|
|
||||||
from ._base import Config
|
from ._base import Config
|
||||||
|
|
||||||
GENERATE_DH_PARAMS = False
|
|
||||||
|
|
||||||
|
|
||||||
class TlsConfig(Config):
|
class TlsConfig(Config):
|
||||||
def read_config(self, config):
|
def read_config(self, config):
|
||||||
|
@ -42,10 +39,6 @@ class TlsConfig(Config):
|
||||||
config.get("tls_private_key_path")
|
config.get("tls_private_key_path")
|
||||||
)
|
)
|
||||||
|
|
||||||
self.tls_dh_params_path = self.check_file(
|
|
||||||
config.get("tls_dh_params_path"), "tls_dh_params"
|
|
||||||
)
|
|
||||||
|
|
||||||
self.tls_fingerprints = config["tls_fingerprints"]
|
self.tls_fingerprints = config["tls_fingerprints"]
|
||||||
|
|
||||||
# Check that our own certificate is included in the list of fingerprints
|
# Check that our own certificate is included in the list of fingerprints
|
||||||
|
@ -72,7 +65,6 @@ class TlsConfig(Config):
|
||||||
|
|
||||||
tls_certificate_path = base_key_name + ".tls.crt"
|
tls_certificate_path = base_key_name + ".tls.crt"
|
||||||
tls_private_key_path = base_key_name + ".tls.key"
|
tls_private_key_path = base_key_name + ".tls.key"
|
||||||
tls_dh_params_path = base_key_name + ".tls.dh"
|
|
||||||
|
|
||||||
return """\
|
return """\
|
||||||
# PEM encoded X509 certificate for TLS.
|
# PEM encoded X509 certificate for TLS.
|
||||||
|
@ -85,9 +77,6 @@ class TlsConfig(Config):
|
||||||
# PEM encoded private key for TLS
|
# PEM encoded private key for TLS
|
||||||
tls_private_key_path: "%(tls_private_key_path)s"
|
tls_private_key_path: "%(tls_private_key_path)s"
|
||||||
|
|
||||||
# PEM dh parameters for ephemeral keys
|
|
||||||
tls_dh_params_path: "%(tls_dh_params_path)s"
|
|
||||||
|
|
||||||
# Don't bind to the https port
|
# Don't bind to the https port
|
||||||
no_tls: False
|
no_tls: False
|
||||||
|
|
||||||
|
@ -131,7 +120,6 @@ class TlsConfig(Config):
|
||||||
def generate_files(self, config):
|
def generate_files(self, config):
|
||||||
tls_certificate_path = config["tls_certificate_path"]
|
tls_certificate_path = config["tls_certificate_path"]
|
||||||
tls_private_key_path = config["tls_private_key_path"]
|
tls_private_key_path = config["tls_private_key_path"]
|
||||||
tls_dh_params_path = config["tls_dh_params_path"]
|
|
||||||
|
|
||||||
if not self.path_exists(tls_private_key_path):
|
if not self.path_exists(tls_private_key_path):
|
||||||
with open(tls_private_key_path, "wb") as private_key_file:
|
with open(tls_private_key_path, "wb") as private_key_file:
|
||||||
|
@ -165,31 +153,3 @@ class TlsConfig(Config):
|
||||||
cert_pem = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
|
cert_pem = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
|
||||||
|
|
||||||
certificate_file.write(cert_pem)
|
certificate_file.write(cert_pem)
|
||||||
|
|
||||||
if not self.path_exists(tls_dh_params_path):
|
|
||||||
if GENERATE_DH_PARAMS:
|
|
||||||
subprocess.check_call([
|
|
||||||
"openssl", "dhparam",
|
|
||||||
"-outform", "PEM",
|
|
||||||
"-out", tls_dh_params_path,
|
|
||||||
"2048"
|
|
||||||
])
|
|
||||||
else:
|
|
||||||
with open(tls_dh_params_path, "w") as dh_params_file:
|
|
||||||
dh_params_file.write(
|
|
||||||
"2048-bit DH parameters taken from rfc3526\n"
|
|
||||||
"-----BEGIN DH PARAMETERS-----\n"
|
|
||||||
"MIIBCAKCAQEA///////////JD9qiIWjC"
|
|
||||||
"NMTGYouA3BzRKQJOCIpnzHQCC76mOxOb\n"
|
|
||||||
"IlFKCHmONATd75UZs806QxswKwpt8l8U"
|
|
||||||
"N0/hNW1tUcJF5IW1dmJefsb0TELppjft\n"
|
|
||||||
"awv/XLb0Brft7jhr+1qJn6WunyQRfEsf"
|
|
||||||
"5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT\n"
|
|
||||||
"mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVS"
|
|
||||||
"u57VKQdwlpZtZww1Tkq8mATxdGwIyhgh\n"
|
|
||||||
"fDKQXkYuNs474553LBgOhgObJ4Oi7Aei"
|
|
||||||
"j7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq\n"
|
|
||||||
"5RXSJhiY+gUQFXKOWoqsqmj/////////"
|
|
||||||
"/wIBAg==\n"
|
|
||||||
"-----END DH PARAMETERS-----\n"
|
|
||||||
)
|
|
||||||
|
|
|
@ -46,8 +46,10 @@ class ServerContextFactory(ContextFactory):
|
||||||
if not config.no_tls:
|
if not config.no_tls:
|
||||||
context.use_privatekey(config.tls_private_key)
|
context.use_privatekey(config.tls_private_key)
|
||||||
|
|
||||||
context.load_tmp_dh(config.tls_dh_params_path)
|
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
|
||||||
context.set_cipher_list("!ADH:HIGH+kEDH:!AECDH:HIGH+kEECDH")
|
context.set_cipher_list(
|
||||||
|
"ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1"
|
||||||
|
)
|
||||||
|
|
||||||
def getContext(self):
|
def getContext(self):
|
||||||
return self._context
|
return self._context
|
||||||
|
|
|
@ -51,7 +51,6 @@ class ConfigGenerationTestCase(unittest.TestCase):
|
||||||
"lemurs.win.log.config",
|
"lemurs.win.log.config",
|
||||||
"lemurs.win.signing.key",
|
"lemurs.win.signing.key",
|
||||||
"lemurs.win.tls.crt",
|
"lemurs.win.tls.crt",
|
||||||
"lemurs.win.tls.dh",
|
|
||||||
"lemurs.win.tls.key",
|
"lemurs.win.tls.key",
|
||||||
]
|
]
|
||||||
),
|
),
|
||||||
|
|
Loading…
Reference in New Issue