From 64afbe6ccd19bb2ec94f3fbb3d91586202c924fd Mon Sep 17 00:00:00 2001
From: Matthew Hodgson <matthew@matrix.org>
Date: Wed, 8 Jul 2015 18:20:02 +0100
Subject: add new optional config for tls_certificate_chain_path for folks with
 intermediary SSL certs

---
 synapse/config/tls.py | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

(limited to 'synapse/config')

diff --git a/synapse/config/tls.py b/synapse/config/tls.py
index ecb2d42c1f..e04fe0d96c 100644
--- a/synapse/config/tls.py
+++ b/synapse/config/tls.py
@@ -25,9 +25,19 @@ GENERATE_DH_PARAMS = False
 class TlsConfig(Config):
     def read_config(self, config):
         self.tls_certificate = self.read_tls_certificate(
-            config.get("tls_certificate_path")
+            config.get("tls_certificate_path"),
+            "tls_certificate"
         )
 
+        tls_certificate_chain_path =
+            config.get("tls_certificate_chain_path")
+
+        if tls_certificate_chain_path and os.path.exists(tls_certificate_chain_path):
+            self.tls_certificate_chain = self.read_tls_certificate(
+                config.get("tls_certificate_chain_path"),
+                "tls_certificate_chain"
+            )
+
         self.no_tls = config.get("no_tls", False)
 
         if self.no_tls:
@@ -45,6 +55,7 @@ class TlsConfig(Config):
         base_key_name = os.path.join(config_dir_path, server_name)
 
         tls_certificate_path = base_key_name + ".tls.crt"
+        tls_certificate_chain_path = base_key_name + ".tls.chain.crt"
         tls_private_key_path = base_key_name + ".tls.key"
         tls_dh_params_path = base_key_name + ".tls.dh"
 
@@ -52,6 +63,9 @@ class TlsConfig(Config):
         # PEM encoded X509 certificate for TLS
         tls_certificate_path: "%(tls_certificate_path)s"
 
+        # PEM encoded X509 intermediary certificate file for TLS (optional)
+        # tls_certificate_chain_path: "%(tls_certificate_chain_path)s"
+
         # PEM encoded private key for TLS
         tls_private_key_path: "%(tls_private_key_path)s"
 
@@ -62,8 +76,8 @@ class TlsConfig(Config):
         no_tls: False
         """ % locals()
 
-    def read_tls_certificate(self, cert_path):
-        cert_pem = self.read_file(cert_path, "tls_certificate")
+    def read_tls_certificate(self, cert_path, config_name):
+        cert_pem = self.read_file(cert_path, config_name)
         return crypto.load_certificate(crypto.FILETYPE_PEM, cert_pem)
 
     def read_tls_private_key(self, private_key_path):
-- 
cgit 1.4.1