add new optional config for tls_certificate_chain_path for folks with intermediary SSL certs

2024-10-01 08:25:44 -04:00 · 2015-07-08 18:20:02 +01:00 · 2015-07-08 18:20:02 +01:00 · 64afbe6ccd
commit 64afbe6ccd
parent dfc74c30c9
2 changed files with 19 additions and 3 deletions
--- a/synapse/config/tls.py
+++ b/synapse/config/tls.py
@ -25,9 +25,19 @@ GENERATE_DH_PARAMS = False
 class TlsConfig(Config):
    def read_config(self, config):
        self.tls_certificate = self.read_tls_certificate(
-            config.get("tls_certificate_path")
+            config.get("tls_certificate_path"),
+            "tls_certificate"
        )

+        tls_certificate_chain_path =
+            config.get("tls_certificate_chain_path")
+
+        if tls_certificate_chain_path and os.path.exists(tls_certificate_chain_path):
+            self.tls_certificate_chain = self.read_tls_certificate(
+                config.get("tls_certificate_chain_path"),
+                "tls_certificate_chain"
+            )
+
        self.no_tls = config.get("no_tls", False)

        if self.no_tls:
@ -45,6 +55,7 @@ class TlsConfig(Config):
        base_key_name = os.path.join(config_dir_path, server_name)

        tls_certificate_path = base_key_name + ".tls.crt"
+        tls_certificate_chain_path = base_key_name + ".tls.chain.crt"
        tls_private_key_path = base_key_name + ".tls.key"
        tls_dh_params_path = base_key_name + ".tls.dh"

@ -52,6 +63,9 @@ class TlsConfig(Config):
        # PEM encoded X509 certificate for TLS
        tls_certificate_path: "%(tls_certificate_path)s"

+        # PEM encoded X509 intermediary certificate file for TLS (optional)
+        # tls_certificate_chain_path: "%(tls_certificate_chain_path)s"
+
        # PEM encoded private key for TLS
        tls_private_key_path: "%(tls_private_key_path)s"

@ -62,8 +76,8 @@ class TlsConfig(Config):
        no_tls: False
        """ % locals()

-    def read_tls_certificate(self, cert_path):
-        cert_pem = self.read_file(cert_path, "tls_certificate")
+    def read_tls_certificate(self, cert_path, config_name):
+        cert_pem = self.read_file(cert_path, config_name)
        return crypto.load_certificate(crypto.FILETYPE_PEM, cert_pem)

    def read_tls_private_key(self, private_key_path):
--- a/synapse/crypto/context_factory.py
+++ b/synapse/crypto/context_factory.py
@ -38,6 +38,8 @@ class ServerContextFactory(ssl.ContextFactory):
            logger.exception("Failed to enable eliptic curve for TLS")
        context.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)
        context.use_certificate(config.tls_certificate)
+        if config.tls_certificate_chain:
+            context.use_certificate_chain_file(config.tls_certificate_chain)

        if not config.no_tls:
            context.use_privatekey(config.tls_private_key)