From 64afbe6ccd19bb2ec94f3fbb3d91586202c924fd Mon Sep 17 00:00:00 2001 From: Matthew Hodgson Date: Wed, 8 Jul 2015 18:20:02 +0100 Subject: [PATCH 1/7] add new optional config for tls_certificate_chain_path for folks with intermediary SSL certs --- synapse/config/tls.py | 20 +++++++++++++++++--- synapse/crypto/context_factory.py | 2 ++ 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/synapse/config/tls.py b/synapse/config/tls.py index ecb2d42c1f..e04fe0d96c 100644 --- a/synapse/config/tls.py +++ b/synapse/config/tls.py @@ -25,9 +25,19 @@ GENERATE_DH_PARAMS = False class TlsConfig(Config): def read_config(self, config): self.tls_certificate = self.read_tls_certificate( - config.get("tls_certificate_path") + config.get("tls_certificate_path"), + "tls_certificate" ) + tls_certificate_chain_path = + config.get("tls_certificate_chain_path") + + if tls_certificate_chain_path and os.path.exists(tls_certificate_chain_path): + self.tls_certificate_chain = self.read_tls_certificate( + config.get("tls_certificate_chain_path"), + "tls_certificate_chain" + ) + self.no_tls = config.get("no_tls", False) if self.no_tls: @@ -45,6 +55,7 @@ class TlsConfig(Config): base_key_name = os.path.join(config_dir_path, server_name) tls_certificate_path = base_key_name + ".tls.crt" + tls_certificate_chain_path = base_key_name + ".tls.chain.crt" tls_private_key_path = base_key_name + ".tls.key" tls_dh_params_path = base_key_name + ".tls.dh" @@ -52,6 +63,9 @@ class TlsConfig(Config): # PEM encoded X509 certificate for TLS tls_certificate_path: "%(tls_certificate_path)s" + # PEM encoded X509 intermediary certificate file for TLS (optional) + # tls_certificate_chain_path: "%(tls_certificate_chain_path)s" + # PEM encoded private key for TLS tls_private_key_path: "%(tls_private_key_path)s" @@ -62,8 +76,8 @@ class TlsConfig(Config): no_tls: False """ % locals() - def read_tls_certificate(self, cert_path): - cert_pem = self.read_file(cert_path, "tls_certificate") + def read_tls_certificate(self, cert_path, config_name): + cert_pem = self.read_file(cert_path, config_name) return crypto.load_certificate(crypto.FILETYPE_PEM, cert_pem) def read_tls_private_key(self, private_key_path): diff --git a/synapse/crypto/context_factory.py b/synapse/crypto/context_factory.py index 2f8618a0df..ea5dd1e7d3 100644 --- a/synapse/crypto/context_factory.py +++ b/synapse/crypto/context_factory.py @@ -38,6 +38,8 @@ class ServerContextFactory(ssl.ContextFactory): logger.exception("Failed to enable eliptic curve for TLS") context.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3) context.use_certificate(config.tls_certificate) + if config.tls_certificate_chain: + context.use_certificate_chain_file(config.tls_certificate_chain) if not config.no_tls: context.use_privatekey(config.tls_private_key) From 465acb0c6ac575c120c756486171aa701abaa4eb Mon Sep 17 00:00:00 2001 From: Matthew Hodgson Date: Wed, 8 Jul 2015 18:30:59 +0100 Subject: [PATCH 2/7] *cough* --- synapse/config/tls.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/synapse/config/tls.py b/synapse/config/tls.py index e04fe0d96c..945af38053 100644 --- a/synapse/config/tls.py +++ b/synapse/config/tls.py @@ -29,14 +29,15 @@ class TlsConfig(Config): "tls_certificate" ) - tls_certificate_chain_path = - config.get("tls_certificate_chain_path") + tls_certificate_chain_path = config.get("tls_certificate_chain_path") if tls_certificate_chain_path and os.path.exists(tls_certificate_chain_path): self.tls_certificate_chain = self.read_tls_certificate( config.get("tls_certificate_chain_path"), "tls_certificate_chain" ) + else: + self.tls_certificate_chain = None self.no_tls = config.get("no_tls", False) From 19fa3731aee498159cbc475f8b29f66dacb6aba6 Mon Sep 17 00:00:00 2001 From: Matthew Hodgson Date: Wed, 8 Jul 2015 18:53:41 +0100 Subject: [PATCH 3/7] typo --- synapse/crypto/context_factory.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/synapse/crypto/context_factory.py b/synapse/crypto/context_factory.py index ea5dd1e7d3..324dc31fe4 100644 --- a/synapse/crypto/context_factory.py +++ b/synapse/crypto/context_factory.py @@ -35,7 +35,7 @@ class ServerContextFactory(ssl.ContextFactory): _ecCurve = _OpenSSLECCurve(_defaultCurveName) _ecCurve.addECKeyToContext(context) except: - logger.exception("Failed to enable eliptic curve for TLS") + logger.exception("Failed to enable elliptic curve for TLS") context.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3) context.use_certificate(config.tls_certificate) if config.tls_certificate_chain: From f26a3df1bf6cabee28f5f91778082c0f26b2378c Mon Sep 17 00:00:00 2001 From: Matthew Hodgson Date: Wed, 8 Jul 2015 21:33:02 +0100 Subject: [PATCH 4/7] oops, context.tls_certificate_chain_file() expects a file, not a certificate. --- synapse/config/tls.py | 5 +---- synapse/crypto/context_factory.py | 4 ++-- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/synapse/config/tls.py b/synapse/config/tls.py index 945af38053..5fef63846d 100644 --- a/synapse/config/tls.py +++ b/synapse/config/tls.py @@ -32,10 +32,7 @@ class TlsConfig(Config): tls_certificate_chain_path = config.get("tls_certificate_chain_path") if tls_certificate_chain_path and os.path.exists(tls_certificate_chain_path): - self.tls_certificate_chain = self.read_tls_certificate( - config.get("tls_certificate_chain_path"), - "tls_certificate_chain" - ) + self.tls_certificate_chain_file = tls_certificate_chain_path else: self.tls_certificate_chain = None diff --git a/synapse/crypto/context_factory.py b/synapse/crypto/context_factory.py index 324dc31fe4..d515007ca0 100644 --- a/synapse/crypto/context_factory.py +++ b/synapse/crypto/context_factory.py @@ -38,8 +38,8 @@ class ServerContextFactory(ssl.ContextFactory): logger.exception("Failed to enable elliptic curve for TLS") context.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3) context.use_certificate(config.tls_certificate) - if config.tls_certificate_chain: - context.use_certificate_chain_file(config.tls_certificate_chain) + if config.tls_certificate_chain_file: + context.use_certificate_chain_file(config.tls_certificate_chain_file) if not config.no_tls: context.use_privatekey(config.tls_private_key) From 8ad2d2d1cb679484dcffc7bacfd9c1de3f6dad38 Mon Sep 17 00:00:00 2001 From: Matthew Hodgson Date: Thu, 9 Jul 2015 00:06:01 +0100 Subject: [PATCH 5/7] document tls_certificate_chain_path more clearly --- synapse/config/tls.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/synapse/config/tls.py b/synapse/config/tls.py index 5fef63846d..de57d0d0ed 100644 --- a/synapse/config/tls.py +++ b/synapse/config/tls.py @@ -62,6 +62,11 @@ class TlsConfig(Config): tls_certificate_path: "%(tls_certificate_path)s" # PEM encoded X509 intermediary certificate file for TLS (optional) + # This *must* be a concatenation of the tls_certificate pointed to + # by tls_certificate_path followed by the intermediary certificates + # in hierarchical order. If specified this option overrides the + # tls_certificate_path parameter. + # # tls_certificate_chain_path: "%(tls_certificate_chain_path)s" # PEM encoded private key for TLS From fb8d2862c1d7582096b5f8bd6194dcbe8e1afc01 Mon Sep 17 00:00:00 2001 From: Matthew Hodgson Date: Thu, 9 Jul 2015 00:45:41 +0100 Subject: [PATCH 6/7] remove the tls_certificate_chain_path param and simply support tls_certificate_path pointing to a file containing a chain of certificates --- synapse/config/tls.py | 30 +++++++++--------------------- synapse/crypto/context_factory.py | 4 +--- 2 files changed, 10 insertions(+), 24 deletions(-) diff --git a/synapse/config/tls.py b/synapse/config/tls.py index de57d0d0ed..e136d13713 100644 --- a/synapse/config/tls.py +++ b/synapse/config/tls.py @@ -25,16 +25,9 @@ GENERATE_DH_PARAMS = False class TlsConfig(Config): def read_config(self, config): self.tls_certificate = self.read_tls_certificate( - config.get("tls_certificate_path"), - "tls_certificate" + config.get("tls_certificate_path") ) - - tls_certificate_chain_path = config.get("tls_certificate_chain_path") - - if tls_certificate_chain_path and os.path.exists(tls_certificate_chain_path): - self.tls_certificate_chain_file = tls_certificate_chain_path - else: - self.tls_certificate_chain = None + self.tls_certificate_file = config.get("tls_certificate_path"); self.no_tls = config.get("no_tls", False) @@ -53,22 +46,17 @@ class TlsConfig(Config): base_key_name = os.path.join(config_dir_path, server_name) tls_certificate_path = base_key_name + ".tls.crt" - tls_certificate_chain_path = base_key_name + ".tls.chain.crt" tls_private_key_path = base_key_name + ".tls.key" tls_dh_params_path = base_key_name + ".tls.dh" return """\ - # PEM encoded X509 certificate for TLS + # PEM encoded X509 certificate for TLS. + # You can replace the self-signed certificate that synapse + # autogenerates on launch with your own SSL certificate + key pair + # if you like. Any required intermediary certificates can be + # appended after the primary certificate in hierarchical order. tls_certificate_path: "%(tls_certificate_path)s" - # PEM encoded X509 intermediary certificate file for TLS (optional) - # This *must* be a concatenation of the tls_certificate pointed to - # by tls_certificate_path followed by the intermediary certificates - # in hierarchical order. If specified this option overrides the - # tls_certificate_path parameter. - # - # tls_certificate_chain_path: "%(tls_certificate_chain_path)s" - # PEM encoded private key for TLS tls_private_key_path: "%(tls_private_key_path)s" @@ -79,8 +67,8 @@ class TlsConfig(Config): no_tls: False """ % locals() - def read_tls_certificate(self, cert_path, config_name): - cert_pem = self.read_file(cert_path, config_name) + def read_tls_certificate(self, cert_path): + cert_pem = self.read_file(cert_path, "tls_certificate") return crypto.load_certificate(crypto.FILETYPE_PEM, cert_pem) def read_tls_private_key(self, private_key_path): diff --git a/synapse/crypto/context_factory.py b/synapse/crypto/context_factory.py index d515007ca0..c4390f3b2b 100644 --- a/synapse/crypto/context_factory.py +++ b/synapse/crypto/context_factory.py @@ -37,9 +37,7 @@ class ServerContextFactory(ssl.ContextFactory): except: logger.exception("Failed to enable elliptic curve for TLS") context.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3) - context.use_certificate(config.tls_certificate) - if config.tls_certificate_chain_file: - context.use_certificate_chain_file(config.tls_certificate_chain_file) + context.use_certificate_chain_file(config.tls_certificate_file) if not config.no_tls: context.use_privatekey(config.tls_private_key) From 294dbd712fee435489fe6e9f9942bd9c39fd480c Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Thu, 9 Jul 2015 11:47:24 +0100 Subject: [PATCH 7/7] We don't want semicolons. --- synapse/config/tls.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/synapse/config/tls.py b/synapse/config/tls.py index e136d13713..6c1df35e80 100644 --- a/synapse/config/tls.py +++ b/synapse/config/tls.py @@ -27,7 +27,7 @@ class TlsConfig(Config): self.tls_certificate = self.read_tls_certificate( config.get("tls_certificate_path") ) - self.tls_certificate_file = config.get("tls_certificate_path"); + self.tls_certificate_file = config.get("tls_certificate_path") self.no_tls = config.get("no_tls", False)