diff options
-rw-r--r-- | synapse/config/tls.py | 20 | ||||
-rw-r--r-- | synapse/crypto/context_factory.py | 2 |
2 files changed, 19 insertions, 3 deletions
diff --git a/synapse/config/tls.py b/synapse/config/tls.py index ecb2d42c1f..e04fe0d96c 100644 --- a/synapse/config/tls.py +++ b/synapse/config/tls.py @@ -25,9 +25,19 @@ GENERATE_DH_PARAMS = False class TlsConfig(Config): def read_config(self, config): self.tls_certificate = self.read_tls_certificate( - config.get("tls_certificate_path") + config.get("tls_certificate_path"), + "tls_certificate" ) + tls_certificate_chain_path = + config.get("tls_certificate_chain_path") + + if tls_certificate_chain_path and os.path.exists(tls_certificate_chain_path): + self.tls_certificate_chain = self.read_tls_certificate( + config.get("tls_certificate_chain_path"), + "tls_certificate_chain" + ) + self.no_tls = config.get("no_tls", False) if self.no_tls: @@ -45,6 +55,7 @@ class TlsConfig(Config): base_key_name = os.path.join(config_dir_path, server_name) tls_certificate_path = base_key_name + ".tls.crt" + tls_certificate_chain_path = base_key_name + ".tls.chain.crt" tls_private_key_path = base_key_name + ".tls.key" tls_dh_params_path = base_key_name + ".tls.dh" @@ -52,6 +63,9 @@ class TlsConfig(Config): # PEM encoded X509 certificate for TLS tls_certificate_path: "%(tls_certificate_path)s" + # PEM encoded X509 intermediary certificate file for TLS (optional) + # tls_certificate_chain_path: "%(tls_certificate_chain_path)s" + # PEM encoded private key for TLS tls_private_key_path: "%(tls_private_key_path)s" @@ -62,8 +76,8 @@ class TlsConfig(Config): no_tls: False """ % locals() - def read_tls_certificate(self, cert_path): - cert_pem = self.read_file(cert_path, "tls_certificate") + def read_tls_certificate(self, cert_path, config_name): + cert_pem = self.read_file(cert_path, config_name) return crypto.load_certificate(crypto.FILETYPE_PEM, cert_pem) def read_tls_private_key(self, private_key_path): diff --git a/synapse/crypto/context_factory.py b/synapse/crypto/context_factory.py index 2f8618a0df..ea5dd1e7d3 100644 --- a/synapse/crypto/context_factory.py +++ b/synapse/crypto/context_factory.py @@ -38,6 +38,8 @@ class ServerContextFactory(ssl.ContextFactory): logger.exception("Failed to enable eliptic curve for TLS") context.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3) context.use_certificate(config.tls_certificate) + if config.tls_certificate_chain: + context.use_certificate_chain_file(config.tls_certificate_chain) if not config.no_tls: context.use_privatekey(config.tls_private_key) |