From 082efe482628a1af7fc689e760c1ee6572035103 Mon Sep 17 00:00:00 2001 From: Alex Shafer Date: Sat, 8 Jul 2017 19:06:59 -0700 Subject: [PATCH 1/2] Making tls_ configs optional with no_tls --- .gitignore | 2 ++ synapse/config/tls.py | 61 ++++++++++++++++++++++--------------------- 2 files changed, 33 insertions(+), 30 deletions(-) diff --git a/.gitignore b/.gitignore index 491047c3521c..23ea78d931b4 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,7 @@ *.pyc .*.swp +.*.swo +.*.swn .DS_Store _trial_temp/ diff --git a/synapse/config/tls.py b/synapse/config/tls.py index e081840a83a8..63419de11ce3 100644 --- a/synapse/config/tls.py +++ b/synapse/config/tls.py @@ -27,44 +27,45 @@ class TlsConfig(Config): def read_config(self, config): - self.tls_certificate = self.read_tls_certificate( - config.get("tls_certificate_path") - ) - self.tls_certificate_file = config.get("tls_certificate_path") - self.no_tls = config.get("no_tls", False) if self.no_tls: self.tls_private_key = None + self.tls_certificate = None else: + self.tls_certificate = self.read_tls_certificate( + config.get("tls_certificate_path") + ) + self.tls_certificate_file = config.get("tls_certificate_path") + self.tls_private_key = self.read_tls_private_key( config.get("tls_private_key_path") ) - self.tls_dh_params_path = self.check_file( - config.get("tls_dh_params_path"), "tls_dh_params" - ) - - self.tls_fingerprints = config["tls_fingerprints"] - - # Check that our own certificate is included in the list of fingerprints - # and include it if it is not. - x509_certificate_bytes = crypto.dump_certificate( - crypto.FILETYPE_ASN1, - self.tls_certificate - ) - sha256_fingerprint = encode_base64(sha256(x509_certificate_bytes).digest()) - sha256_fingerprints = set(f["sha256"] for f in self.tls_fingerprints) - if sha256_fingerprint not in sha256_fingerprints: - self.tls_fingerprints.append({u"sha256": sha256_fingerprint}) - - # This config option applies to non-federation HTTP clients - # (e.g. for talking to recaptcha, identity servers, and such) - # It should never be used in production, and is intended for - # use only when running tests. - self.use_insecure_ssl_client_just_for_testing_do_not_use = config.get( - "use_insecure_ssl_client_just_for_testing_do_not_use" - ) + self.tls_dh_params_path = self.check_file( + config.get("tls_dh_params_path"), "tls_dh_params" + ) + + self.tls_fingerprints = config["tls_fingerprints"] + + # Check that our own certificate is included in the list of fingerprints + # and include it if it is not. + x509_certificate_bytes = crypto.dump_certificate( + crypto.FILETYPE_ASN1, + self.tls_certificate + ) + sha256_fingerprint = encode_base64(sha256(x509_certificate_bytes).digest()) + sha256_fingerprints = set(f["sha256"] for f in self.tls_fingerprints) + if sha256_fingerprint not in sha256_fingerprints: + self.tls_fingerprints.append({u"sha256": sha256_fingerprint}) + + # This config option applies to non-federation HTTP clients + # (e.g. for talking to recaptcha, identity servers, and such) + # It should never be used in production, and is intended for + # use only when running tests. + self.use_insecure_ssl_client_just_for_testing_do_not_use = config.get( + "use_insecure_ssl_client_just_for_testing_do_not_use" + ) def default_config(self, config_dir_path, server_name, **kwargs): base_key_name = os.path.join(config_dir_path, server_name) @@ -114,7 +115,7 @@ def default_config(self, config_dir_path, server_name, **kwargs): """ % locals() def read_tls_certificate(self, cert_path): - cert_pem = self.read_file(cert_path, "tls_certificate") + cert_pem = self.read_file(cert_path, "tls_certificate_path") return crypto.load_certificate(crypto.FILETYPE_PEM, cert_pem) def read_tls_private_key(self, private_key_path): From c379ac7cc200053c0652c709a56d4d5a8c19f556 Mon Sep 17 00:00:00 2001 From: Alex Shafer Date: Sat, 8 Jul 2017 20:12:50 -0700 Subject: [PATCH 2/2] Further improving no_tls support --- synapse/app/homeserver.py | 7 +++++-- synapse/config/tls.py | 14 +++++++------- synapse/rest/key/v1/server_key_resource.py | 14 +++++++++----- synapse/rest/key/v2/local_key_resource.py | 5 ++++- 4 files changed, 25 insertions(+), 15 deletions(-) diff --git a/synapse/app/homeserver.py b/synapse/app/homeserver.py index 081e7cce5998..ab58a00af459 100755 --- a/synapse/app/homeserver.py +++ b/synapse/app/homeserver.py @@ -114,7 +114,7 @@ def _listener_http(self, config, listener_config): site_tag = listener_config.get("tag", port) if tls and config.no_tls: - return + raise RuntimeError('Listener is configured with tls enabled, but no_tls is set') resources = {} for res in listener_config["resources"]: @@ -307,7 +307,10 @@ def setup(config_options): events.USE_FROZEN_DICTS = config.use_frozen_dicts - tls_server_context_factory = context_factory.ServerContextFactory(config) + if config.no_tls: + tls_server_context_factory = None + else: + tls_server_context_factory = context_factory.ServerContextFactory(config) database_engine = create_engine(config.database_config) config.database_config["args"]["cp_openfun"] = database_engine.on_new_connection diff --git a/synapse/config/tls.py b/synapse/config/tls.py index 63419de11ce3..cf2cb43eb8da 100644 --- a/synapse/config/tls.py +++ b/synapse/config/tls.py @@ -59,13 +59,13 @@ def read_config(self, config): if sha256_fingerprint not in sha256_fingerprints: self.tls_fingerprints.append({u"sha256": sha256_fingerprint}) - # This config option applies to non-federation HTTP clients - # (e.g. for talking to recaptcha, identity servers, and such) - # It should never be used in production, and is intended for - # use only when running tests. - self.use_insecure_ssl_client_just_for_testing_do_not_use = config.get( - "use_insecure_ssl_client_just_for_testing_do_not_use" - ) + # This config option applies to non-federation HTTP clients + # (e.g. for talking to recaptcha, identity servers, and such) + # It should never be used in production, and is intended for + # use only when running tests. + self.use_insecure_ssl_client_just_for_testing_do_not_use = config.get( + "use_insecure_ssl_client_just_for_testing_do_not_use" + ) def default_config(self, config_dir_path, server_name, **kwargs): base_key_name = os.path.join(config_dir_path, server_name) diff --git a/synapse/rest/key/v1/server_key_resource.py b/synapse/rest/key/v1/server_key_resource.py index bd4fea57742f..f8c2fcaca8c3 100644 --- a/synapse/rest/key/v1/server_key_resource.py +++ b/synapse/rest/key/v1/server_key_resource.py @@ -63,14 +63,18 @@ def response_json_object(server_config): key_id = "%s:%s" % (key.alg, key.version) verify_keys[key_id] = encode_base64(verify_key_bytes) - x509_certificate_bytes = crypto.dump_certificate( - crypto.FILETYPE_ASN1, - server_config.tls_certificate - ) + if server_config.no_tls: + x509_b64 = u"" + else: + x509_certificate_bytes = crypto.dump_certificate( + crypto.FILETYPE_ASN1, + server_config.tls_certificate + ) + x509_b64 = encode_base64(x509_certificate_bytes) json_object = { u"server_name": server_config.server_name, u"verify_keys": verify_keys, - u"tls_certificate": encode_base64(x509_certificate_bytes) + u"tls_certificate": x509_b64 } for key in server_config.signing_key: json_object = sign_json( diff --git a/synapse/rest/key/v2/local_key_resource.py b/synapse/rest/key/v2/local_key_resource.py index be68d9a0969a..963d6c08c26d 100644 --- a/synapse/rest/key/v2/local_key_resource.py +++ b/synapse/rest/key/v2/local_key_resource.py @@ -91,7 +91,10 @@ def response_json_object(self): u"expired_ts": key.expired_ts, } - tls_fingerprints = self.config.tls_fingerprints + if self.config.no_tls: + tls_fingerprints = [] + else: + tls_fingerprints = self.config.tls_fingerprints json_object = { u"valid_until_ts": self.valid_until_ts,