Don't look for an TLS private key if we have set --no-tls

2015-03-06 11:34:06 +00:00 · 2015-03-06 11:34:06 +00:00 · 3ce8540484
parent e780492ecf
commit 3ce8540484
3 changed files with 17 additions and 8 deletions
--- a/synapse/config/server.py
+++ b/synapse/config/server.py
@ -30,7 +30,6 @@ class ServerConfig(Config):
        self.pid_file = self.abspath(args.pid_file)
        self.webclient = True
        self.manhole = args.manhole
-        self.no_tls = args.no_tls
        self.soft_file_limit = args.soft_file_limit

        if not args.content_addr:
@ -76,8 +75,6 @@ class ServerConfig(Config):
        server_group.add_argument("--content-addr", default=None,
                                  help="The host and scheme to use for the "
                                  "content repository")
-        server_group.add_argument("--no-tls", action='store_true',
-                                  help="Don't bind to the https port.")
        server_group.add_argument("--soft-file-limit", type=int, default=0,
                                  help="Set the soft limit on the number of "
                                       "file descriptors synapse can use. "
--- a/synapse/config/tls.py
+++ b/synapse/config/tls.py
@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-from ._base import Config
+from ._base import Config, ConfigError

 from OpenSSL import crypto
 import subprocess
@ -28,9 +28,16 @@ class TlsConfig(Config):
        self.tls_certificate = self.read_tls_certificate(
            args.tls_certificate_path
        )
+
+        self.no_tls = args.no_tls
+
+        if self.no_tls:
+            self.tls_private_key = None
+        else:
            self.tls_private_key = self.read_tls_private_key(
                args.tls_private_key_path
            )
+
        self.tls_dh_params_path = self.check_file(
            args.tls_dh_params_path, "tls_dh_params"
        )
@ -45,6 +52,8 @@ class TlsConfig(Config):
                               help="PEM encoded private key for TLS")
        tls_group.add_argument("--tls-dh-params-path",
                               help="PEM dh parameters for ephemeral keys")
+        tls_group.add_argument("--no-tls", action='store_true',
+                               help="Don't bind to the https port.")

    def read_tls_certificate(self, cert_path):
        cert_pem = self.read_file(cert_path, "tls_certificate")
--- a/synapse/crypto/context_factory.py
+++ b/synapse/crypto/context_factory.py
@ -38,7 +38,10 @@ class ServerContextFactory(ssl.ContextFactory):
            logger.exception("Failed to enable eliptic curve for TLS")
        context.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)
        context.use_certificate(config.tls_certificate)
+
+        if not config.no_tls:
            context.use_privatekey(config.tls_private_key)
+
        context.load_tmp_dh(config.tls_dh_params_path)
        context.set_cipher_list("!ADH:HIGH+kEDH:!AECDH:HIGH+kEECDH")