Skip to content
Snippets Groups Projects
Commit be794c7c authored by Richard van der Hoff's avatar Richard van der Hoff
Browse files

Merge branch 'rav/tls_config_logging_fixes' into rav/tls_cert/work

parents 2129dd1a 086f6f27
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
changelog.d/4615.misc 0 → 100644
+ 1
0
View file @ be794c7c
Logging improvements around TLS certs
synapse/app/_base.py
+ 2
4
View file @ be794c7c
......@@ -213,13 +213,11 @@ def refresh_certificate(hs):
Refresh the TLS certificates that Synapse is using by re-reading them from
disk and updating the TLS context factories to use them.
"""
logging.info("Loading certificate from disk...")
hs.config.read_certificate_from_disk()
hs.tls_server_context_factory = context_factory.ServerContextFactory(hs.config)
logging.info("Certificate loaded.")
if hs._listening_services:
logging.info("Updating context factories...")
logger.info("Updating context factories...")
for i in hs._listening_services:
# When you listenSSL, it doesn't make an SSL port but a TCP one with
# a TLS wrapping factory around the factory you actually want to get
......@@ -234,7 +232,7 @@ def refresh_certificate(hs):
False,
i.factory.wrappedFactory
)
logging.info("Context factories updated.")
logger.info("Context factories updated.")
def start(hs, listeners=None):
......
synapse/config/tls.py
+ 36
18
View file @ be794c7c
......@@ -25,7 +25,7 @@ from OpenSSL import crypto
from synapse.config._base import Config
logger = logging.getLogger()
logger = logging.getLogger(__name__)
class TlsConfig(Config):
......@@ -110,20 +110,10 @@ class TlsConfig(Config):
"""
Read the certificates from disk.
"""
self.tls_certificate = self.read_tls_certificate(self.tls_certificate_file)
# Check if it is self-signed, and issue a warning if so.
if self.tls_certificate.get_issuer() == self.tls_certificate.get_subject():
warnings.warn(
(
"Self-signed TLS certificates will not be accepted by Synapse 1.0. "
"Please either provide a valid certificate, or use Synapse's ACME "
"support to provision one."
)
)
self.tls_certificate = self.read_tls_certificate()
if not self.no_tls:
self.tls_private_key = self.read_tls_private_key(self.tls_private_key_file)
self.tls_private_key = self.read_tls_private_key()
self.tls_fingerprints = list(self._original_tls_fingerprints)
......@@ -250,10 +240,38 @@ class TlsConfig(Config):
% locals()
)
def read_tls_certificate(self, cert_path):
cert_pem = self.read_file(cert_path, "tls_certificate")
return crypto.load_certificate(crypto.FILETYPE_PEM, cert_pem)
def read_tls_certificate(self):
"""Reads the TLS certificate from the configured file, and returns it
Also checks if it is self-signed, and warns if so
Returns:
OpenSSL.crypto.X509: the certificate
"""
cert_path = self.tls_certificate_file
logger.info("Loading TLS certificate from %s", cert_path)
cert_pem = self.read_file(cert_path, "tls_certificate_path")
cert = crypto.load_certificate(crypto.FILETYPE_PEM, cert_pem)
# Check if it is self-signed, and issue a warning if so.
if cert.get_issuer() == cert.get_subject():
warnings.warn(
(
"Self-signed TLS certificates will not be accepted by Synapse 1.0. "
"Please either provide a valid certificate, or use Synapse's ACME "
"support to provision one."
)
)
return cert
def read_tls_private_key(self, private_key_path):
private_key_pem = self.read_file(private_key_path, "tls_private_key")
def read_tls_private_key(self):
"""Reads the TLS private key from the configured file, and returns it
Returns:
OpenSSL.crypto.PKey: the private key
"""
private_key_path = self.tls_private_key_file
logger.info("Loading TLS key from %s", private_key_path)
private_key_pem = self.read_file(private_key_path, "tls_private_key_path")
return crypto.load_privatekey(crypto.FILETYPE_PEM, private_key_pem)
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment