Matrix-Mirrors/forked-synapse
1
0
Fork 0
mirror of https://mau.dev/maunium/synapse.git synced 2024-07-02 17:31:46 +00:00
Code Issues Packages Projects Releases Wiki Activity
7cebaf9644
forked-synapse/synapse/config/tls.py

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

262 lines
10 KiB
Python
Raw Normal View History

copyrights
2016-01-07 04:26:29 +00:00
# Copyright 2014-2016 OpenMarket Ltd
Add config tree to synapse. Add support for reading config from a file
2014-08-31 15:06:39 +00:00
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
Support ACME for certificate provisioning (#4384)
2019-01-23 08:39:06 +00:00
import logging
Add config tree to synapse. Add support for reading config from a file
2014-08-31 15:06:39 +00:00
import os
Merge pull request from GHSA-x345-32rc-8h85 * tests for push rule pattern matching * tests for acl pattern matching * factor out common `re.escape` * Factor out common re.compile * Factor out common anchoring code * add word_boundary support to `glob_to_regex` * Use `glob_to_regex` in push rule evaluator NB that this drops support for character classes. I don't think anyone ever used them. * Improve efficiency of globs with multiple wildcards The idea here is that we compress multiple `*` globs into a single `.*`. We also need to consider `?`, since `*?*` is as hard to implement efficiently as `**`. * add assertion on regex pattern * Fix mypy * Simplify glob_to_regex * Inline the glob_to_regex helper function Signed-off-by: Dan Callahan <danc@element.io> * Moar comments Signed-off-by: Dan Callahan <danc@element.io> Co-authored-by: Dan Callahan <danc@element.io>
2021-05-11 09:47:23 +00:00
from typing import List, Optional, Pattern
run isort
2018-07-09 06:09:20 +00:00
Update the TLS cipher string and provide configurability for TLS on outgoing federation (#5550)
2019-06-28 08:19:09 +00:00
from OpenSSL import SSL, crypto
Config option for verifying federation certificates (MSC 1711) (#4967)
2019-04-25 13:22:49 +00:00
from twisted.internet._sslverify import Certificate, trustRootFromCertificates
run isort
2018-07-09 06:09:20 +00:00
Fix error when loading cert if tls is disabled (#4618) If TLS is disabled, it should not be an error if no cert is given. Fixes #4554.
2019-02-12 10:51:31 +00:00
from synapse.config._base import Config, ConfigError
Config option for verifying federation certificates (MSC 1711) (#4967)
2019-04-25 13:22:49 +00:00
from synapse.util import glob_to_regex
Support ACME for certificate provisioning (#4384)
2019-01-23 08:39:06 +00:00
Logging improvements around TLS certs Log which file we're reading keys and certs from, and refactor the code a bit in preparation for other work
2019-02-11 21:00:41 +00:00
logger = logging.getLogger(__name__)
run isort
2018-07-09 06:09:20 +00:00
Use pregenerated DH params when generating config
2014-09-01 19:35:10 +00:00
Add config tree to synapse. Add support for reading config from a file
2014-08-31 15:06:39 +00:00
class TlsConfig(Config):
Refactor HomeserverConfig so it can be typechecked (#6137)
2019-10-10 08:39:35 +00:00
section = "tls"
def read_config(self, config: dict, config_dir_path: str, **kwargs):
add new optional config for tls_certificate_chain_path for folks with intermediary SSL certs
2015-07-08 17:20:02 +00:00
Do not generate self-signed TLS certificates by default. (#4509)
2019-01-29 14:09:10 +00:00
self.tls_certificate_file = self.abspath(config.get("tls_certificate_path"))
self.tls_private_key_file = self.abspath(config.get("tls_private_key_path"))
Fix error when loading cert if tls is disabled (#4618) If TLS is disabled, it should not be an error if no cert is given. Fixes #4554.
2019-02-12 10:51:31 +00:00
Refactor HomeserverConfig so it can be typechecked (#6137)
2019-10-10 08:39:35 +00:00
if self.root.server.has_tls_listener():
Fix error when loading cert if tls is disabled (#4618) If TLS is disabled, it should not be an error if no cert is given. Fixes #4554.
2019-02-12 10:51:31 +00:00
if not self.tls_certificate_file:
raise ConfigError(
"tls_certificate_path must be specified if TLS-enabled listeners are "
"configured."
)
if not self.tls_private_key_file:
raise ConfigError(
Fix ACME config for python 2. (#4717) Fixes #4675.
2019-02-25 19:16:33 +00:00
"tls_private_key_path must be specified if TLS-enabled listeners are "
Fix error when loading cert if tls is disabled (#4618) If TLS is disabled, it should not be an error if no cert is given. Fixes #4554.
2019-02-12 10:51:31 +00:00
"configured."
)
Config option for verifying federation certificates (MSC 1711) (#4967)
2019-04-25 13:22:49 +00:00
# Whether to verify certificates on outbound federation traffic
self.federation_verify_certificates = config.get(
Validate federation server TLS certificates by default.
2019-06-05 13:16:07 +00:00
"federation_verify_certificates", True
Config option for verifying federation certificates (MSC 1711) (#4967)
2019-04-25 13:22:49 +00:00
)
Update the TLS cipher string and provide configurability for TLS on outgoing federation (#5550)
2019-06-28 08:19:09 +00:00
# Minimum TLS version to use for outbound federation traffic
self.federation_client_minimum_tls_version = str(
config.get("federation_client_minimum_tls_version", 1)
)
if self.federation_client_minimum_tls_version not in ["1", "1.1", "1.2", "1.3"]:
raise ConfigError(
"federation_client_minimum_tls_version must be one of: 1, 1.1, 1.2, 1.3"
)
# Prevent people shooting themselves in the foot here by setting it to
# the biggest number blindly
if self.federation_client_minimum_tls_version == "1.3":
if getattr(SSL, "OP_NO_TLSv1_3", None) is None:
raise ConfigError(
[pyupgrade] `synapse/` (#10348) This PR is tantamount to running ``` pyupgrade --py36-plus --keep-percent-format `find synapse/ -type f -name "*.py"` ``` Part of #9744
2021-07-19 14:28:05 +00:00
"federation_client_minimum_tls_version cannot be 1.3, "
"your OpenSSL does not support it"
Update the TLS cipher string and provide configurability for TLS on outgoing federation (#5550)
2019-06-28 08:19:09 +00:00
)
Config option for verifying federation certificates (MSC 1711) (#4967)
2019-04-25 13:22:49 +00:00
# Whitelist of domains to not verify certificates for
fed_whitelist_entries = config.get(
"federation_certificate_verification_whitelist", []
)
Allow empty federation_certificate_verification_whitelist (#6849)
2020-02-06 14:45:01 +00:00
if fed_whitelist_entries is None:
fed_whitelist_entries = []
Config option for verifying federation certificates (MSC 1711) (#4967)
2019-04-25 13:22:49 +00:00
# Support globs (*) in whitelist values
Use inline type hints in various other places (in `synapse/`) (#10380)
2021-07-15 10:02:43 +00:00
self.federation_certificate_verification_whitelist: List[Pattern] = []
Config option for verifying federation certificates (MSC 1711) (#4967)
2019-04-25 13:22:49 +00:00
for entry in fed_whitelist_entries:
Fix well-known lookups with the federation certificate whitelist (#5997)
2019-09-13 18:58:38 +00:00
try:
entry_regex = glob_to_regex(entry.encode("ascii").decode("ascii"))
except UnicodeEncodeError:
raise ConfigError(
"IDNA domain names are not allowed in the "
"federation_certificate_verification_whitelist: %s" % (entry,)
)
Config option for verifying federation certificates (MSC 1711) (#4967)
2019-04-25 13:22:49 +00:00
# Convert globs to regex
self.federation_certificate_verification_whitelist.append(entry_regex)
# List of custom certificate authorities for federation traffic validation
custom_ca_list = config.get("federation_custom_ca_list", None)
# Read in and parse custom CA certificates
self.federation_ca_trust_root = None
if custom_ca_list is not None:
if len(custom_ca_list) == 0:
# A trustroot cannot be generated without any CA certificates.
# Raise an error if this option has been specified without any
# corresponding certificates.
raise ConfigError(
"federation_custom_ca_list specified without "
"any certificate files"
)
certs = []
for ca_file in custom_ca_list:
logger.debug("Reading custom CA certificate file: %s", ca_file)
Fix `federation_custom_ca_list` configuration option. Previously, setting this option would cause an exception at startup.
2019-06-05 15:16:33 +00:00
content = self.read_file(ca_file, "federation_custom_ca_list")
Config option for verifying federation certificates (MSC 1711) (#4967)
2019-04-25 13:22:49 +00:00
# Parse the CA certificates
try:
cert_base = Certificate.loadPEM(content)
certs.append(cert_base)
except Exception as e:
raise ConfigError(
"Error parsing custom CA certificate file %s: %s" % (ca_file, e)
)
self.federation_ca_trust_root = trustRootFromCertificates(certs)
Support ACME for certificate provisioning (#4384)
2019-01-23 08:39:06 +00:00
# This config option applies to non-federation HTTP clients
# (e.g. for talking to recaptcha, identity servers, and such)
# It should never be used in production, and is intended for
# use only when running tests.
self.use_insecure_ssl_client_just_for_testing_do_not_use = config.get(
"use_insecure_ssl_client_just_for_testing_do_not_use"
)
Use inline type hints in various other places (in `synapse/`) (#10380)
2021-07-15 10:02:43 +00:00
self.tls_certificate: Optional[crypto.X509] = None
self.tls_private_key: Optional[crypto.PKey] = None
Support ACME for certificate provisioning (#4384)
2019-01-23 08:39:06 +00:00
Remove redundant code to reload tls cert (#10054) we don't need to reload the tls cert if we don't have any tls listeners. Follow-up to #9280.
2021-05-27 09:34:24 +00:00
def read_certificate_from_disk(self):
Support ACME for certificate provisioning (#4384)
2019-01-23 08:39:06 +00:00
"""
Fix error when loading cert if tls is disabled (#4618) If TLS is disabled, it should not be an error if no cert is given. Fixes #4554.
2019-02-12 10:51:31 +00:00
Read the certificates and private key from disk.
"""
Remove redundant code to reload tls cert (#10054) we don't need to reload the tls cert if we don't have any tls listeners. Follow-up to #9280.
2021-05-27 09:34:24 +00:00
self.tls_private_key = self.read_tls_private_key()
self.tls_certificate = self.read_tls_certificate()
Don't look for an TLS private key if we have set --no-tls
2015-03-06 11:34:06 +00:00
Don't load the generated config as the default. It's too confusing.
2019-06-21 23:00:20 +00:00
def generate_config_section(
Config templating (#5900) Template config files * Imagine a system composed entirely of x, y, z etc and the basic operations.. Wait George, why XOR? Why not just neq? George: Eh, I didn't think of that.. Co-Authored-By: Erik Johnston <erik@matrix.org>
2019-08-28 12:12:22 +00:00
self,
config_dir_path,
server_name,
data_dir_path,
tls_certificate_path,
tls_private_key_path,
Bump black configuration to target py36 (#9781) Signed-off-by: Dan Callahan <danc@element.io>
2021-04-13 09:41:34 +00:00
**kwargs,
Don't load the generated config as the default. It's too confusing.
2019-06-21 23:00:20 +00:00
):
Remove support for ACME v1 (#10194) Fixes #9778 ACME v1 has been fully decommissioned for existing installs on June 1st 2021(see https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430/27), so we can now safely remove it from Synapse.
2021-06-17 17:56:48 +00:00
"""If the TLS paths are not specified the default will be certs in the
Config templating (#5900) Template config files * Imagine a system composed entirely of x, y, z etc and the basic operations.. Wait George, why XOR? Why not just neq? George: Eh, I didn't think of that.. Co-Authored-By: Erik Johnston <erik@matrix.org>
2019-08-28 12:12:22 +00:00
config directory"""
Manually generate the default config yaml, remove most of the commandline arguments for synapse anticipating that people will use the yaml instead. Simpify implementing config options by not requiring the classes to hit the super class
2015-04-30 03:24:44 +00:00
base_key_name = os.path.join(config_dir_path, server_name)
Config templating (#5900) Template config files * Imagine a system composed entirely of x, y, z etc and the basic operations.. Wait George, why XOR? Why not just neq? George: Eh, I didn't think of that.. Co-Authored-By: Erik Johnston <erik@matrix.org>
2019-08-28 12:12:22 +00:00
if bool(tls_certificate_path) != bool(tls_private_key_path):
raise ConfigError(
"Please specify both a cert path and a key path or neither."
)
Remove support for ACME v1 (#10194) Fixes #9778 ACME v1 has been fully decommissioned for existing installs on June 1st 2021(see https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430/27), so we can now safely remove it from Synapse.
2021-06-17 17:56:48 +00:00
tls_enabled = "" if tls_certificate_path and tls_private_key_path else "#"
Config templating (#5900) Template config files * Imagine a system composed entirely of x, y, z etc and the basic operations.. Wait George, why XOR? Why not just neq? George: Eh, I didn't think of that.. Co-Authored-By: Erik Johnston <erik@matrix.org>
2019-08-28 12:12:22 +00:00
if not tls_certificate_path:
tls_certificate_path = base_key_name + ".tls.crt"
if not tls_private_key_path:
tls_private_key_path = base_key_name + ".tls.key"
Add config linting script that checks for bool casing (#6203) Add a linting script that enforces all boolean values in the default config be lowercase. This has annoyed me for a while so I decided to fix it.
2019-10-23 12:22:54 +00:00
# flake8 doesn't recognise that variables are used in the below string
Remove support for ACME v1 (#10194) Fixes #9778 ACME v1 has been fully decommissioned for existing installs on June 1st 2021(see https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430/27), so we can now safely remove it from Synapse.
2021-06-17 17:56:48 +00:00
_ = tls_enabled
Add config linting script that checks for bool casing (#6203) Add a linting script that enforces all boolean values in the default config be lowercase. This has annoyed me for a while so I decided to fix it.
2019-10-23 12:22:54 +00:00
Support ACME for certificate provisioning (#4384)
2019-01-23 08:39:06 +00:00
return (
"""\
Infer no_tls from presence of TLS listeners Rather than have to specify `no_tls` explicitly, infer whether we need to load the TLS keys etc from whether we have any TLS-enabled listeners.
2019-02-11 17:57:58 +00:00
## TLS ##
ACME config cleanups (#4525) * Handle listening for ACME requests on IPv6 addresses the weird url-but-not-actually-a-url-string doesn't handle IPv6 addresses without extra quoting. Building a string which you are about to parse again seems like a weird choice. Let's just use listenTCP, which is consistent with what we do elsewhere. * Clean up the default ACME config make it look a bit more consistent with everything else, and tweak the defaults to listen on port 80. * newsfile
2019-01-30 14:17:55 +00:00
# PEM-encoded X509 certificate for TLS.
# This certificate, as of Synapse 1.0, will need to be a valid and verifiable
# certificate, signed by a recognised Certificate Authority.
#
Remove support for ACME v1 (#10194) Fixes #9778 ACME v1 has been fully decommissioned for existing installs on June 1st 2021(see https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430/27), so we can now safely remove it from Synapse.
2021-06-17 17:56:48 +00:00
# Be sure to use a `.pem` file that includes the full certificate chain including
# any intermediate certificates (for instance, if using certbot, use
# `fullchain.pem` as your certificate, not `cert.pem`).
Document using a certificate with a full chain (#4849)
2019-03-13 15:26:29 +00:00
#
Config templating (#5900) Template config files * Imagine a system composed entirely of x, y, z etc and the basic operations.. Wait George, why XOR? Why not just neq? George: Eh, I didn't think of that.. Co-Authored-By: Erik Johnston <erik@matrix.org>
2019-08-28 12:12:22 +00:00
%(tls_enabled)stls_certificate_path: "%(tls_certificate_path)s"
Manually generate the default config yaml, remove most of the commandline arguments for synapse anticipating that people will use the yaml instead. Simpify implementing config options by not requiring the classes to hit the super class
2015-04-30 03:24:44 +00:00
ACME config cleanups (#4525) * Handle listening for ACME requests on IPv6 addresses the weird url-but-not-actually-a-url-string doesn't handle IPv6 addresses without extra quoting. Building a string which you are about to parse again seems like a weird choice. Let's just use listenTCP, which is consistent with what we do elsewhere. * Clean up the default ACME config make it look a bit more consistent with everything else, and tweak the defaults to listen on port 80. * newsfile
2019-01-30 14:17:55 +00:00
# PEM-encoded private key for TLS
Attempt to make default config more consistent The general idea here is that config examples should just have a hash and no extraneous whitespace, both to make it easier for people who don't understand yaml, and to make the examples stand out from the comments.
2019-02-19 13:54:29 +00:00
#
Config templating (#5900) Template config files * Imagine a system composed entirely of x, y, z etc and the basic operations.. Wait George, why XOR? Why not just neq? George: Eh, I didn't think of that.. Co-Authored-By: Erik Johnston <erik@matrix.org>
2019-08-28 12:12:22 +00:00
%(tls_enabled)stls_private_key_path: "%(tls_private_key_path)s"
Manually generate the default config yaml, remove most of the commandline arguments for synapse anticipating that people will use the yaml instead. Simpify implementing config options by not requiring the classes to hit the super class
2015-04-30 03:24:44 +00:00
Validate federation server TLS certificates by default.
2019-06-05 13:16:07 +00:00
# Whether to verify TLS server certificates for outbound federation requests.
Config option for verifying federation certificates (MSC 1711) (#4967)
2019-04-25 13:22:49 +00:00
#
Validate federation server TLS certificates by default.
2019-06-05 13:16:07 +00:00
# Defaults to `true`. To disable certificate verification, uncomment the
# following line.
Config option for verifying federation certificates (MSC 1711) (#4967)
2019-04-25 13:22:49 +00:00
#
Validate federation server TLS certificates by default.
2019-06-05 13:16:07 +00:00
#federation_verify_certificates: false
Config option for verifying federation certificates (MSC 1711) (#4967)
2019-04-25 13:22:49 +00:00
Update the TLS cipher string and provide configurability for TLS on outgoing federation (#5550)
2019-06-28 08:19:09 +00:00
# The minimum TLS version that will be used for outbound federation requests.
#
# Defaults to `1`. Configurable to `1`, `1.1`, `1.2`, or `1.3`. Note
# that setting this value higher than `1.2` will prevent federation to most
# of the public Matrix network: only configure it to `1.3` if you have an
# entirely private federation setup and you can ensure TLS 1.3 support.
#
#federation_client_minimum_tls_version: 1.2
Config option for verifying federation certificates (MSC 1711) (#4967)
2019-04-25 13:22:49 +00:00
# Skip federation certificate verification on the following whitelist
# of domains.
#
# This setting should only be used in very specific cases, such as
# federation over Tor hidden services and similar. For private networks
# of homeservers, you likely want to use a private CA instead.
#
# Only effective if federation_verify_certicates is `true`.
#
#federation_certificate_verification_whitelist:
# - lon.example.com
Docs: Quote wildcard `federation_certificate_verification_whitelist` (#11381) Otherwise I get this beautiful stacktrace: ``` python3 -m synapse.app.homeserver --config-path /etc/matrix/homeserver.yaml Traceback (most recent call last): File "/usr/lib/python3.8/runpy.py", line 194, in _run_module_as_main return _run_code(code, main_globals, None, File "/usr/lib/python3.8/runpy.py", line 87, in _run_code exec(code, run_globals) File "/root/synapse/synapse/app/homeserver.py", line 455, in <module> main() File "/root/synapse/synapse/app/homeserver.py", line 445, in main hs = setup(sys.argv[1:]) File "/root/synapse/synapse/app/homeserver.py", line 345, in setup config = HomeServerConfig.load_or_generate_config( File "/root/synapse/synapse/config/_base.py", line 671, in load_or_generate_config config_dict = read_config_files(config_files) File "/root/synapse/synapse/config/_base.py", line 717, in read_config_files yaml_config = yaml.safe_load(file_stream) File "/root/synapse/env/lib/python3.8/site-packages/yaml/__init__.py", line 125, in safe_load return load(stream, SafeLoader) File "/root/synapse/env/lib/python3.8/site-packages/yaml/__init__.py", line 81, in load return loader.get_single_data() File "/root/synapse/env/lib/python3.8/site-packages/yaml/constructor.py", line 49, in get_single_data node = self.get_single_node() File "/root/synapse/env/lib/python3.8/site-packages/yaml/composer.py", line 36, in get_single_node document = self.compose_document() File "/root/synapse/env/lib/python3.8/site-packages/yaml/composer.py", line 55, in compose_document node = self.compose_node(None, None) File "/root/synapse/env/lib/python3.8/site-packages/yaml/composer.py", line 84, in compose_node node = self.compose_mapping_node(anchor) File "/root/synapse/env/lib/python3.8/site-packages/yaml/composer.py", line 133, in compose_mapping_node item_value = self.compose_node(node, item_key) File "/root/synapse/env/lib/python3.8/site-packages/yaml/composer.py", line 82, in compose_node node = self.compose_sequence_node(anchor) File "/root/synapse/env/lib/python3.8/site-packages/yaml/composer.py", line 110, in compose_sequence_node while not self.check_event(SequenceEndEvent): File "/root/synapse/env/lib/python3.8/site-packages/yaml/parser.py", line 98, in check_event self.current_event = self.state() File "/root/synapse/env/lib/python3.8/site-packages/yaml/parser.py", line 379, in parse_block_sequence_first_entry return self.parse_block_sequence_entry() File "/root/synapse/env/lib/python3.8/site-packages/yaml/parser.py", line 384, in parse_block_sequence_entry if not self.check_token(BlockEntryToken, BlockEndToken): File "/root/synapse/env/lib/python3.8/site-packages/yaml/scanner.py", line 116, in check_token self.fetch_more_tokens() File "/root/synapse/env/lib/python3.8/site-packages/yaml/scanner.py", line 227, in fetch_more_tokens return self.fetch_alias() File "/root/synapse/env/lib/python3.8/site-packages/yaml/scanner.py", line 610, in fetch_alias self.tokens.append(self.scan_anchor(AliasToken)) File "/root/synapse/env/lib/python3.8/site-packages/yaml/scanner.py", line 922, in scan_anchor raise ScannerError("while scanning an %s" % name, start_mark, yaml.scanner.ScannerError: while scanning an alias in "/etc/matrix/homeserver.yaml", line 614, column 5 expected alphabetic or numeric character, but found '.' in "/etc/matrix/homeserver.yaml", line 614, column 6 ``` Signed-off-by: Nicolai Søborg <git@xn--sb-lka.org>
2021-11-18 12:24:40 +00:00
# - "*.domain.com"
# - "*.onion"
Config option for verifying federation certificates (MSC 1711) (#4967)
2019-04-25 13:22:49 +00:00
# List of custom certificate authorities for federation traffic.
#
# This setting should only normally be used within a private network of
# homeservers.
#
# Note that this list will replace those that are provided by your
# operating environment. Certificates must be in PEM format.
#
#federation_custom_ca_list:
# - myCA1.pem
# - myCA2.pem
# - myCA3.pem
Support ACME for certificate provisioning (#4384)
2019-01-23 08:39:06 +00:00
"""
Add config linting script that checks for bool casing (#6203) Add a linting script that enforces all boolean values in the default config be lowercase. This has annoyed me for a while so I decided to fix it.
2019-10-23 12:22:54 +00:00
# Lowercase the string representation of boolean values
% {
x[0]: str(x[1]).lower() if isinstance(x[1], bool) else x[1]
for x in locals().items()
}
Support ACME for certificate provisioning (#4384)
2019-01-23 08:39:06 +00:00
)
Add config tree to synapse. Add support for reading config from a file
2014-08-31 15:06:39 +00:00
Enable mypy checking for unreachable code and fix instances. (#8432)
2020-10-01 12:09:18 +00:00
def read_tls_certificate(self) -> crypto.X509:
Logging improvements around TLS certs Log which file we're reading keys and certs from, and refactor the code a bit in preparation for other work
2019-02-11 21:00:41 +00:00
"""Reads the TLS certificate from the configured file, and returns it
Returns:
Enable mypy checking for unreachable code and fix instances. (#8432)
2020-10-01 12:09:18 +00:00
The certificate
Logging improvements around TLS certs Log which file we're reading keys and certs from, and refactor the code a bit in preparation for other work
2019-02-11 21:00:41 +00:00
"""
cert_path = self.tls_certificate_file
logger.info("Loading TLS certificate from %s", cert_path)
cert_pem = self.read_file(cert_path, "tls_certificate_path")
cert = crypto.load_certificate(crypto.FILETYPE_PEM, cert_pem)
return cert
Add config tree to synapse. Add support for reading config from a file
2014-08-31 15:06:39 +00:00
Enable mypy checking for unreachable code and fix instances. (#8432)
2020-10-01 12:09:18 +00:00
def read_tls_private_key(self) -> crypto.PKey:
Logging improvements around TLS certs Log which file we're reading keys and certs from, and refactor the code a bit in preparation for other work
2019-02-11 21:00:41 +00:00
"""Reads the TLS private key from the configured file, and returns it
Returns:
Enable mypy checking for unreachable code and fix instances. (#8432)
2020-10-01 12:09:18 +00:00
The private key
Logging improvements around TLS certs Log which file we're reading keys and certs from, and refactor the code a bit in preparation for other work
2019-02-11 21:00:41 +00:00
"""
private_key_path = self.tls_private_key_file
logger.info("Loading TLS key from %s", private_key_path)
private_key_pem = self.read_file(private_key_path, "tls_private_key_path")
Add config tree to synapse. Add support for reading config from a file
2014-08-31 15:06:39 +00:00
return crypto.load_privatekey(crypto.FILETYPE_PEM, private_key_pem)
Reference in New Issue Copy Permalink