Merge branch 'rav/no_create_server_contexts_if_no_tls' into rav/tls_cert/work

This commit is contained in:
Richard van der Hoff 2019-02-11 21:34:19 +00:00
commit 15272f837c
3 changed files with 7 additions and 3 deletions

1
changelog.d/4617.misc Normal file
View File

@ -0,0 +1 @@
Don't create server contexts when TLS is disabled

View File

@ -214,6 +214,11 @@ def refresh_certificate(hs):
disk and updating the TLS context factories to use them. disk and updating the TLS context factories to use them.
""" """
hs.config.read_certificate_from_disk() hs.config.read_certificate_from_disk()
if hs.config.no_tls:
# nothing else to do here
return
hs.tls_server_context_factory = context_factory.ServerContextFactory(hs.config) hs.tls_server_context_factory = context_factory.ServerContextFactory(hs.config)
if hs._listening_services: if hs._listening_services:

View File

@ -43,9 +43,7 @@ class ServerContextFactory(ContextFactory):
logger.exception("Failed to enable elliptic curve for TLS") logger.exception("Failed to enable elliptic curve for TLS")
context.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3) context.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)
context.use_certificate_chain_file(config.tls_certificate_file) context.use_certificate_chain_file(config.tls_certificate_file)
context.use_privatekey(config.tls_private_key)
if not config.no_tls:
context.use_privatekey(config.tls_private_key)
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
context.set_cipher_list( context.set_cipher_list(