diff options
author | Amber Brown <hawkowl@atleastfornow.net> | 2019-02-11 21:36:26 +1100 |
---|---|---|
committer | Richard van der Hoff <1389908+richvdh@users.noreply.github.com> | 2019-02-11 10:36:26 +0000 |
commit | 6e2a5aa050fc132a7dee6b3e33a7a368207d7e5a (patch) | |
tree | 7c30cc2c0fe48d3e5c0513565a390b5572d9248a /synapse/config | |
parent | Be tolerant of blank TLS fingerprints config (#4589) (diff) | |
download | synapse-6e2a5aa050fc132a7dee6b3e33a7a368207d7e5a.tar.xz |
ACME Reprovisioning (#4522)
Diffstat (limited to 'synapse/config')
-rw-r--r-- | synapse/config/tls.py | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/synapse/config/tls.py b/synapse/config/tls.py index 81b3a659fe..9fcc79816d 100644 --- a/synapse/config/tls.py +++ b/synapse/config/tls.py @@ -64,10 +64,14 @@ class TlsConfig(Config): self.tls_certificate = None self.tls_private_key = None - def is_disk_cert_valid(self): + def is_disk_cert_valid(self, allow_self_signed=True): """ Is the certificate we have on disk valid, and if so, for how long? + Args: + allow_self_signed (bool): Should we allow the certificate we + read to be self signed? + Returns: int: Days remaining of certificate validity. None: No certificate exists. @@ -88,6 +92,12 @@ class TlsConfig(Config): logger.exception("Failed to parse existing certificate off disk!") raise + if not allow_self_signed: + if tls_certificate.get_subject() == tls_certificate.get_issuer(): + raise ValueError( + "TLS Certificate is self signed, and this is not permitted" + ) + # YYYYMMDDhhmmssZ -- in UTC expires_on = datetime.strptime( tls_certificate.get_notAfter().decode('ascii'), "%Y%m%d%H%M%SZ" |