diff options
author | Matthew Hodgson <matthew@matrix.org> | 2015-07-09 00:45:41 +0100 |
---|---|---|
committer | Matthew Hodgson <matthew@matrix.org> | 2015-07-09 00:45:41 +0100 |
commit | fb8d2862c1d7582096b5f8bd6194dcbe8e1afc01 (patch) | |
tree | 367069f6c0d7c7c785cfc6bd799d4b0b827a105a /synapse | |
parent | document tls_certificate_chain_path more clearly (diff) | |
download | synapse-fb8d2862c1d7582096b5f8bd6194dcbe8e1afc01.tar.xz |
remove the tls_certificate_chain_path param and simply support tls_certificate_path pointing to a file containing a chain of certificates
Diffstat (limited to 'synapse')
-rw-r--r-- | synapse/config/tls.py | 30 | ||||
-rw-r--r-- | synapse/crypto/context_factory.py | 4 |
2 files changed, 10 insertions, 24 deletions
diff --git a/synapse/config/tls.py b/synapse/config/tls.py index de57d0d0ed..e136d13713 100644 --- a/synapse/config/tls.py +++ b/synapse/config/tls.py @@ -25,16 +25,9 @@ GENERATE_DH_PARAMS = False class TlsConfig(Config): def read_config(self, config): self.tls_certificate = self.read_tls_certificate( - config.get("tls_certificate_path"), - "tls_certificate" + config.get("tls_certificate_path") ) - - tls_certificate_chain_path = config.get("tls_certificate_chain_path") - - if tls_certificate_chain_path and os.path.exists(tls_certificate_chain_path): - self.tls_certificate_chain_file = tls_certificate_chain_path - else: - self.tls_certificate_chain = None + self.tls_certificate_file = config.get("tls_certificate_path"); self.no_tls = config.get("no_tls", False) @@ -53,22 +46,17 @@ class TlsConfig(Config): base_key_name = os.path.join(config_dir_path, server_name) tls_certificate_path = base_key_name + ".tls.crt" - tls_certificate_chain_path = base_key_name + ".tls.chain.crt" tls_private_key_path = base_key_name + ".tls.key" tls_dh_params_path = base_key_name + ".tls.dh" return """\ - # PEM encoded X509 certificate for TLS + # PEM encoded X509 certificate for TLS. + # You can replace the self-signed certificate that synapse + # autogenerates on launch with your own SSL certificate + key pair + # if you like. Any required intermediary certificates can be + # appended after the primary certificate in hierarchical order. tls_certificate_path: "%(tls_certificate_path)s" - # PEM encoded X509 intermediary certificate file for TLS (optional) - # This *must* be a concatenation of the tls_certificate pointed to - # by tls_certificate_path followed by the intermediary certificates - # in hierarchical order. If specified this option overrides the - # tls_certificate_path parameter. - # - # tls_certificate_chain_path: "%(tls_certificate_chain_path)s" - # PEM encoded private key for TLS tls_private_key_path: "%(tls_private_key_path)s" @@ -79,8 +67,8 @@ class TlsConfig(Config): no_tls: False """ % locals() - def read_tls_certificate(self, cert_path, config_name): - cert_pem = self.read_file(cert_path, config_name) + def read_tls_certificate(self, cert_path): + cert_pem = self.read_file(cert_path, "tls_certificate") return crypto.load_certificate(crypto.FILETYPE_PEM, cert_pem) def read_tls_private_key(self, private_key_path): diff --git a/synapse/crypto/context_factory.py b/synapse/crypto/context_factory.py index d515007ca0..c4390f3b2b 100644 --- a/synapse/crypto/context_factory.py +++ b/synapse/crypto/context_factory.py @@ -37,9 +37,7 @@ class ServerContextFactory(ssl.ContextFactory): except: logger.exception("Failed to enable elliptic curve for TLS") context.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3) - context.use_certificate(config.tls_certificate) - if config.tls_certificate_chain_file: - context.use_certificate_chain_file(config.tls_certificate_chain_file) + context.use_certificate_chain_file(config.tls_certificate_file) if not config.no_tls: context.use_privatekey(config.tls_private_key) |