diff --git a/README.rst b/README.rst
index 8bff55e78e..05a3bb3751 100644
--- a/README.rst
+++ b/README.rst
@@ -220,7 +220,7 @@ is configured to use TLS with a self-signed certificate. If you would like
to do initial test with a client without having to setup a reverse proxy,
you can temporarly use another certificate. (Note that a self-signed
certificate is fine for `Federation`_). You can do so by changing
-``tls_certificate_path``, ``tls_private_key_path`` and ``tls_dh_params_path``
+``tls_certificate_path`` and ``tls_private_key_path``
in ``homeserver.yaml``; alternatively, you can use a reverse-proxy, but be sure
to read `Using a reverse proxy with Synapse`_ when doing so.
diff --git a/changelog.d/4229.feature b/changelog.d/4229.feature
new file mode 100644
index 0000000000..0d1996c7e8
--- /dev/null
+++ b/changelog.d/4229.feature
@@ -0,0 +1 @@
+Synapse's cipher string has been updated to require ECDH key exchange. Configuring and generating dh_params is no longer required, and they will be ignored.
diff --git a/debian/homeserver.yaml b/debian/homeserver.yaml
index 188a2d5483..0bb2d22a95 100644
--- a/debian/homeserver.yaml
+++ b/debian/homeserver.yaml
@@ -9,9 +9,6 @@ tls_certificate_path: "/etc/matrix-synapse/homeserver.tls.crt"
# PEM encoded private key for TLS
tls_private_key_path: "/etc/matrix-synapse/homeserver.tls.key"
-# PEM dh parameters for ephemeral keys
-tls_dh_params_path: "/etc/matrix-synapse/homeserver.tls.dh"
-
# Don't bind to the https port
no_tls: False
diff --git a/demo/demo.tls.dh b/demo/demo.tls.dh
deleted file mode 100644
index cbc58272a0..0000000000
--- a/demo/demo.tls.dh
+++ /dev/null
@@ -1,9 +0,0 @@
-2048-bit DH parameters taken from rfc3526
------BEGIN DH PARAMETERS-----
-MIIBCAKCAQEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
-IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
-awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
-mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
-fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
-5RXSJhiY+gUQFXKOWoqsqmj//////////wIBAg==
------END DH PARAMETERS-----
diff --git a/docker/conf/homeserver.yaml b/docker/conf/homeserver.yaml
index c2b8576a32..529118d184 100644
--- a/docker/conf/homeserver.yaml
+++ b/docker/conf/homeserver.yaml
@@ -4,7 +4,6 @@
tls_certificate_path: "/data/{{ SYNAPSE_SERVER_NAME }}.tls.crt"
tls_private_key_path: "/data/{{ SYNAPSE_SERVER_NAME }}.tls.key"
-tls_dh_params_path: "/data/{{ SYNAPSE_SERVER_NAME }}.tls.dh"
no_tls: {{ "True" if SYNAPSE_NO_TLS else "False" }}
tls_fingerprints: []
diff --git a/synapse/config/tls.py b/synapse/config/tls.py
index fef1ea99cb..bb8952c672 100644
--- a/synapse/config/tls.py
+++ b/synapse/config/tls.py
@@ -14,7 +14,6 @@
# limitations under the License.
import os
-import subprocess
from hashlib import sha256
from unpaddedbase64 import encode_base64
@@ -23,8 +22,6 @@ from OpenSSL import crypto
from ._base import Config
-GENERATE_DH_PARAMS = False
-
class TlsConfig(Config):
def read_config(self, config):
@@ -42,10 +39,6 @@ class TlsConfig(Config):
config.get("tls_private_key_path")
)
- self.tls_dh_params_path = self.check_file(
- config.get("tls_dh_params_path"), "tls_dh_params"
- )
-
self.tls_fingerprints = config["tls_fingerprints"]
# Check that our own certificate is included in the list of fingerprints
@@ -72,7 +65,6 @@ class TlsConfig(Config):
tls_certificate_path = base_key_name + ".tls.crt"
tls_private_key_path = base_key_name + ".tls.key"
- tls_dh_params_path = base_key_name + ".tls.dh"
return """\
# PEM encoded X509 certificate for TLS.
@@ -85,9 +77,6 @@ class TlsConfig(Config):
# PEM encoded private key for TLS
tls_private_key_path: "%(tls_private_key_path)s"
- # PEM dh parameters for ephemeral keys
- tls_dh_params_path: "%(tls_dh_params_path)s"
-
# Don't bind to the https port
no_tls: False
@@ -131,7 +120,6 @@ class TlsConfig(Config):
def generate_files(self, config):
tls_certificate_path = config["tls_certificate_path"]
tls_private_key_path = config["tls_private_key_path"]
- tls_dh_params_path = config["tls_dh_params_path"]
if not self.path_exists(tls_private_key_path):
with open(tls_private_key_path, "wb") as private_key_file:
@@ -165,31 +153,3 @@ class TlsConfig(Config):
cert_pem = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
certificate_file.write(cert_pem)
-
- if not self.path_exists(tls_dh_params_path):
- if GENERATE_DH_PARAMS:
- subprocess.check_call([
- "openssl", "dhparam",
- "-outform", "PEM",
- "-out", tls_dh_params_path,
- "2048"
- ])
- else:
- with open(tls_dh_params_path, "w") as dh_params_file:
- dh_params_file.write(
- "2048-bit DH parameters taken from rfc3526\n"
- "-----BEGIN DH PARAMETERS-----\n"
- "MIIBCAKCAQEA///////////JD9qiIWjC"
- "NMTGYouA3BzRKQJOCIpnzHQCC76mOxOb\n"
- "IlFKCHmONATd75UZs806QxswKwpt8l8U"
- "N0/hNW1tUcJF5IW1dmJefsb0TELppjft\n"
- "awv/XLb0Brft7jhr+1qJn6WunyQRfEsf"
- "5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT\n"
- "mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVS"
- "u57VKQdwlpZtZww1Tkq8mATxdGwIyhgh\n"
- "fDKQXkYuNs474553LBgOhgObJ4Oi7Aei"
- "j7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq\n"
- "5RXSJhiY+gUQFXKOWoqsqmj/////////"
- "/wIBAg==\n"
- "-----END DH PARAMETERS-----\n"
- )
diff --git a/synapse/crypto/context_factory.py b/synapse/crypto/context_factory.py
index 02b76dfcfb..6ba3eca7b2 100644
--- a/synapse/crypto/context_factory.py
+++ b/synapse/crypto/context_factory.py
@@ -46,8 +46,10 @@ class ServerContextFactory(ContextFactory):
if not config.no_tls:
context.use_privatekey(config.tls_private_key)
- context.load_tmp_dh(config.tls_dh_params_path)
- context.set_cipher_list("!ADH:HIGH+kEDH:!AECDH:HIGH+kEECDH")
+ # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+ context.set_cipher_list(
+ "ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1"
+ )
def getContext(self):
return self._context
diff --git a/tests/config/test_generate.py b/tests/config/test_generate.py
index 0c23068bcf..b5ad99348d 100644
--- a/tests/config/test_generate.py
+++ b/tests/config/test_generate.py
@@ -51,7 +51,6 @@ class ConfigGenerationTestCase(unittest.TestCase):
"lemurs.win.log.config",
"lemurs.win.signing.key",
"lemurs.win.tls.crt",
- "lemurs.win.tls.dh",
"lemurs.win.tls.key",
]
),
|
