Merge pull request #103 from matrix-org/no_tls_private_key
Don't look for a TLS private key if we have set --no-tls
This commit is contained in:
commit
b1491dfd7c
|
@ -30,7 +30,6 @@ class ServerConfig(Config):
|
||||||
self.pid_file = self.abspath(args.pid_file)
|
self.pid_file = self.abspath(args.pid_file)
|
||||||
self.webclient = True
|
self.webclient = True
|
||||||
self.manhole = args.manhole
|
self.manhole = args.manhole
|
||||||
self.no_tls = args.no_tls
|
|
||||||
self.soft_file_limit = args.soft_file_limit
|
self.soft_file_limit = args.soft_file_limit
|
||||||
|
|
||||||
if not args.content_addr:
|
if not args.content_addr:
|
||||||
|
@ -76,8 +75,6 @@ class ServerConfig(Config):
|
||||||
server_group.add_argument("--content-addr", default=None,
|
server_group.add_argument("--content-addr", default=None,
|
||||||
help="The host and scheme to use for the "
|
help="The host and scheme to use for the "
|
||||||
"content repository")
|
"content repository")
|
||||||
server_group.add_argument("--no-tls", action='store_true',
|
|
||||||
help="Don't bind to the https port.")
|
|
||||||
server_group.add_argument("--soft-file-limit", type=int, default=0,
|
server_group.add_argument("--soft-file-limit", type=int, default=0,
|
||||||
help="Set the soft limit on the number of "
|
help="Set the soft limit on the number of "
|
||||||
"file descriptors synapse can use. "
|
"file descriptors synapse can use. "
|
||||||
|
|
|
@ -28,9 +28,16 @@ class TlsConfig(Config):
|
||||||
self.tls_certificate = self.read_tls_certificate(
|
self.tls_certificate = self.read_tls_certificate(
|
||||||
args.tls_certificate_path
|
args.tls_certificate_path
|
||||||
)
|
)
|
||||||
|
|
||||||
|
self.no_tls = args.no_tls
|
||||||
|
|
||||||
|
if self.no_tls:
|
||||||
|
self.tls_private_key = None
|
||||||
|
else:
|
||||||
self.tls_private_key = self.read_tls_private_key(
|
self.tls_private_key = self.read_tls_private_key(
|
||||||
args.tls_private_key_path
|
args.tls_private_key_path
|
||||||
)
|
)
|
||||||
|
|
||||||
self.tls_dh_params_path = self.check_file(
|
self.tls_dh_params_path = self.check_file(
|
||||||
args.tls_dh_params_path, "tls_dh_params"
|
args.tls_dh_params_path, "tls_dh_params"
|
||||||
)
|
)
|
||||||
|
@ -45,6 +52,8 @@ class TlsConfig(Config):
|
||||||
help="PEM encoded private key for TLS")
|
help="PEM encoded private key for TLS")
|
||||||
tls_group.add_argument("--tls-dh-params-path",
|
tls_group.add_argument("--tls-dh-params-path",
|
||||||
help="PEM dh parameters for ephemeral keys")
|
help="PEM dh parameters for ephemeral keys")
|
||||||
|
tls_group.add_argument("--no-tls", action='store_true',
|
||||||
|
help="Don't bind to the https port.")
|
||||||
|
|
||||||
def read_tls_certificate(self, cert_path):
|
def read_tls_certificate(self, cert_path):
|
||||||
cert_pem = self.read_file(cert_path, "tls_certificate")
|
cert_pem = self.read_file(cert_path, "tls_certificate")
|
||||||
|
|
|
@ -38,7 +38,10 @@ class ServerContextFactory(ssl.ContextFactory):
|
||||||
logger.exception("Failed to enable eliptic curve for TLS")
|
logger.exception("Failed to enable eliptic curve for TLS")
|
||||||
context.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)
|
context.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)
|
||||||
context.use_certificate(config.tls_certificate)
|
context.use_certificate(config.tls_certificate)
|
||||||
|
|
||||||
|
if not config.no_tls:
|
||||||
context.use_privatekey(config.tls_private_key)
|
context.use_privatekey(config.tls_private_key)
|
||||||
|
|
||||||
context.load_tmp_dh(config.tls_dh_params_path)
|
context.load_tmp_dh(config.tls_dh_params_path)
|
||||||
context.set_cipher_list("!ADH:HIGH+kEDH:!AECDH:HIGH+kEECDH")
|
context.set_cipher_list("!ADH:HIGH+kEDH:!AECDH:HIGH+kEECDH")
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue