Infer no_tls from presence of TLS listeners

Rather than have to specify `no_tls` explicitly, infer whether we need to load
the TLS keys etc from whether we have any TLS-enabled listeners.
This commit is contained in:
Richard van der Hoff 2019-02-11 17:57:58 +00:00
parent 15272f837c
commit 4fddf8fc77
10 changed files with 27 additions and 20 deletions

1
changelog.d/4613.feature Normal file
View File

@ -0,0 +1 @@
There is no longer any need to specify `no_tls`: it is inferred from the absence of TLS listeners

1
changelog.d/4615.feature Normal file
View File

@ -0,0 +1 @@
There is no longer any need to specify `no_tls`: it is inferred from the absence of TLS listeners

View File

@ -1 +0,0 @@
Logging improvements around TLS certs

1
changelog.d/4617.feature Normal file
View File

@ -0,0 +1 @@
There is no longer any need to specify `no_tls`: it is inferred from the absence of TLS listeners

View File

@ -1 +0,0 @@
Don't create server contexts when TLS is disabled

View File

@ -215,7 +215,7 @@ def refresh_certificate(hs):
""" """
hs.config.read_certificate_from_disk() hs.config.read_certificate_from_disk()
if hs.config.no_tls: if not hs.config.has_tls_listener():
# nothing else to do here # nothing else to do here
return return

View File

@ -90,11 +90,6 @@ class SynapseHomeServer(HomeServer):
tls = listener_config.get("tls", False) tls = listener_config.get("tls", False)
site_tag = listener_config.get("tag", port) site_tag = listener_config.get("tag", port)
if tls and config.no_tls:
raise ConfigError(
"Listener on port %i has TLS enabled, but no_tls is set" % (port,),
)
resources = {} resources = {}
for res in listener_config["resources"]: for res in listener_config["resources"]:
for name in res["names"]: for name in res["names"]:

View File

@ -42,7 +42,7 @@ from .voip import VoipConfig
from .workers import WorkerConfig from .workers import WorkerConfig
class HomeServerConfig(TlsConfig, ServerConfig, DatabaseConfig, LoggingConfig, class HomeServerConfig(ServerConfig, TlsConfig, DatabaseConfig, LoggingConfig,
RatelimitConfig, ContentRepositoryConfig, CaptchaConfig, RatelimitConfig, ContentRepositoryConfig, CaptchaConfig,
VoipConfig, RegistrationConfig, MetricsConfig, ApiConfig, VoipConfig, RegistrationConfig, MetricsConfig, ApiConfig,
AppServiceConfig, KeyConfig, SAML2Config, CasConfig, AppServiceConfig, KeyConfig, SAML2Config, CasConfig,

View File

@ -126,14 +126,22 @@ class ServerConfig(Config):
self.public_baseurl += '/' self.public_baseurl += '/'
self.start_pushers = config.get("start_pushers", True) self.start_pushers = config.get("start_pushers", True)
self.listeners = config.get("listeners", []) self.listeners = []
for listener in config.get("listeners", []):
for listener in self.listeners:
if not isinstance(listener.get("port", None), int): if not isinstance(listener.get("port", None), int):
raise ConfigError( raise ConfigError(
"Listener configuration is lacking a valid 'port' option" "Listener configuration is lacking a valid 'port' option"
) )
if listener.setdefault("tls", False):
# no_tls is not really supported any more, but let's grandfather it in
# here.
if config.get("no_tls", False):
logger.info(
"Ignoring TLS-enabled listener on port %i due to no_tls"
)
continue
bind_address = listener.pop("bind_address", None) bind_address = listener.pop("bind_address", None)
bind_addresses = listener.setdefault("bind_addresses", []) bind_addresses = listener.setdefault("bind_addresses", [])
@ -145,6 +153,8 @@ class ServerConfig(Config):
if not bind_addresses: if not bind_addresses:
bind_addresses.extend(DEFAULT_BIND_ADDRESSES) bind_addresses.extend(DEFAULT_BIND_ADDRESSES)
self.listeners.append(listener)
if not self.web_client_location: if not self.web_client_location:
_warn_if_webclient_configured(self.listeners) _warn_if_webclient_configured(self.listeners)
@ -152,6 +162,9 @@ class ServerConfig(Config):
bind_port = config.get("bind_port") bind_port = config.get("bind_port")
if bind_port: if bind_port:
if config.get("no_tls", False):
raise ConfigError("no_tls is incompatible with bind_port")
self.listeners = [] self.listeners = []
bind_host = config.get("bind_host", "") bind_host = config.get("bind_host", "")
gzip_responses = config.get("gzip_responses", True) gzip_responses = config.get("gzip_responses", True)
@ -198,6 +211,7 @@ class ServerConfig(Config):
"port": manhole, "port": manhole,
"bind_addresses": ["127.0.0.1"], "bind_addresses": ["127.0.0.1"],
"type": "manhole", "type": "manhole",
"tls": False,
}) })
metrics_port = config.get("metrics_port") metrics_port = config.get("metrics_port")
@ -223,6 +237,9 @@ class ServerConfig(Config):
_check_resource_config(self.listeners) _check_resource_config(self.listeners)
def has_tls_listener(self):
return any(l["tls"] for l in self.listeners)
def default_config(self, server_name, data_dir_path, **kwargs): def default_config(self, server_name, data_dir_path, **kwargs):
_, bind_port = parse_and_validate_server_name(server_name) _, bind_port = parse_and_validate_server_name(server_name)
if bind_port is not None: if bind_port is not None:

View File

@ -51,7 +51,6 @@ class TlsConfig(Config):
self._original_tls_fingerprints = [] self._original_tls_fingerprints = []
self.tls_fingerprints = list(self._original_tls_fingerprints) self.tls_fingerprints = list(self._original_tls_fingerprints)
self.no_tls = config.get("no_tls", False)
# This config option applies to non-federation HTTP clients # This config option applies to non-federation HTTP clients
# (e.g. for talking to recaptcha, identity servers, and such) # (e.g. for talking to recaptcha, identity servers, and such)
@ -141,6 +140,8 @@ class TlsConfig(Config):
return ( return (
"""\ """\
## TLS ##
# PEM-encoded X509 certificate for TLS. # PEM-encoded X509 certificate for TLS.
# This certificate, as of Synapse 1.0, will need to be a valid and verifiable # This certificate, as of Synapse 1.0, will need to be a valid and verifiable
# certificate, signed by a recognised Certificate Authority. # certificate, signed by a recognised Certificate Authority.
@ -201,13 +202,6 @@ class TlsConfig(Config):
# #
# reprovision_threshold: 30 # reprovision_threshold: 30
# If your server runs behind a reverse-proxy which terminates TLS connections
# (for both client and federation connections), it may be useful to disable
# All TLS support for incoming connections. Setting no_tls to True will
# do so (and avoid the need to give synapse a TLS private key).
#
# no_tls: True
# List of allowed TLS fingerprints for this server to publish along # List of allowed TLS fingerprints for this server to publish along
# with the signing keys for this server. Other matrix servers that # with the signing keys for this server. Other matrix servers that
# make HTTPS requests to this server will check that the TLS # make HTTPS requests to this server will check that the TLS