Don't create server contexts when TLS is disabled

we aren't going to use them anyway.
This commit is contained in:
Richard van der Hoff 2019-02-11 21:30:59 +00:00
parent 086f6f27d4
commit 9645728619
3 changed files with 7 additions and 3 deletions

1
changelog.d/4617.misc Normal file
View File

@ -0,0 +1 @@
Don't create server contexts when TLS is disabled

View File

@ -214,6 +214,11 @@ def refresh_certificate(hs):
disk and updating the TLS context factories to use them. disk and updating the TLS context factories to use them.
""" """
hs.config.read_certificate_from_disk() hs.config.read_certificate_from_disk()
if hs.config.no_tls:
# nothing else to do here
return
hs.tls_server_context_factory = context_factory.ServerContextFactory(hs.config) hs.tls_server_context_factory = context_factory.ServerContextFactory(hs.config)
if hs._listening_services: if hs._listening_services:

View File

@ -43,8 +43,6 @@ class ServerContextFactory(ContextFactory):
logger.exception("Failed to enable elliptic curve for TLS") logger.exception("Failed to enable elliptic curve for TLS")
context.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3) context.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)
context.use_certificate_chain_file(config.tls_certificate_file) context.use_certificate_chain_file(config.tls_certificate_file)
if not config.no_tls:
context.use_privatekey(config.tls_private_key) context.use_privatekey(config.tls_private_key)
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/