Don't look for an TLS private key if we have set --no-tls

This commit is contained in:
Erik Johnston 2015-03-06 11:34:06 +00:00
parent e780492ecf
commit 3ce8540484
3 changed files with 17 additions and 8 deletions

View File

@ -30,7 +30,6 @@ class ServerConfig(Config):
self.pid_file = self.abspath(args.pid_file) self.pid_file = self.abspath(args.pid_file)
self.webclient = True self.webclient = True
self.manhole = args.manhole self.manhole = args.manhole
self.no_tls = args.no_tls
self.soft_file_limit = args.soft_file_limit self.soft_file_limit = args.soft_file_limit
if not args.content_addr: if not args.content_addr:
@ -76,8 +75,6 @@ class ServerConfig(Config):
server_group.add_argument("--content-addr", default=None, server_group.add_argument("--content-addr", default=None,
help="The host and scheme to use for the " help="The host and scheme to use for the "
"content repository") "content repository")
server_group.add_argument("--no-tls", action='store_true',
help="Don't bind to the https port.")
server_group.add_argument("--soft-file-limit", type=int, default=0, server_group.add_argument("--soft-file-limit", type=int, default=0,
help="Set the soft limit on the number of " help="Set the soft limit on the number of "
"file descriptors synapse can use. " "file descriptors synapse can use. "

View File

@ -13,7 +13,7 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
from ._base import Config from ._base import Config, ConfigError
from OpenSSL import crypto from OpenSSL import crypto
import subprocess import subprocess
@ -28,9 +28,16 @@ class TlsConfig(Config):
self.tls_certificate = self.read_tls_certificate( self.tls_certificate = self.read_tls_certificate(
args.tls_certificate_path args.tls_certificate_path
) )
self.tls_private_key = self.read_tls_private_key(
args.tls_private_key_path self.no_tls = args.no_tls
)
if self.no_tls:
self.tls_private_key = None
else:
self.tls_private_key = self.read_tls_private_key(
args.tls_private_key_path
)
self.tls_dh_params_path = self.check_file( self.tls_dh_params_path = self.check_file(
args.tls_dh_params_path, "tls_dh_params" args.tls_dh_params_path, "tls_dh_params"
) )
@ -45,6 +52,8 @@ class TlsConfig(Config):
help="PEM encoded private key for TLS") help="PEM encoded private key for TLS")
tls_group.add_argument("--tls-dh-params-path", tls_group.add_argument("--tls-dh-params-path",
help="PEM dh parameters for ephemeral keys") help="PEM dh parameters for ephemeral keys")
tls_group.add_argument("--no-tls", action='store_true',
help="Don't bind to the https port.")
def read_tls_certificate(self, cert_path): def read_tls_certificate(self, cert_path):
cert_pem = self.read_file(cert_path, "tls_certificate") cert_pem = self.read_file(cert_path, "tls_certificate")

View File

@ -38,7 +38,10 @@ class ServerContextFactory(ssl.ContextFactory):
logger.exception("Failed to enable eliptic curve for TLS") logger.exception("Failed to enable eliptic curve for TLS")
context.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3) context.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)
context.use_certificate(config.tls_certificate) context.use_certificate(config.tls_certificate)
context.use_privatekey(config.tls_private_key)
if not config.no_tls:
context.use_privatekey(config.tls_private_key)
context.load_tmp_dh(config.tls_dh_params_path) context.load_tmp_dh(config.tls_dh_params_path)
context.set_cipher_list("!ADH:HIGH+kEDH:!AECDH:HIGH+kEECDH") context.set_cipher_list("!ADH:HIGH+kEDH:!AECDH:HIGH+kEECDH")