gitlord
/
synapse
镜像自地址 https://github.com/matrix-org/synapse.git
1
0
派生 0
代码 工单 0 版本发布 671 百科 动态
浏览代码

Require ECDH key exchange & remove dh_params (#4429) 

* remove dh_params and set better cipher string
tags/v0.99.0rc1
Amber Brown 5 年前
committed by GitHub
父节点
83f335bedf
当前提交
23b0813599
找不到此签名对应的密钥 GPG 密钥 ID: 4AEE18F83AFDEB23
共有 8 个文件被更改,包括 6 次插入55 次删除
分列视图
Diff 选项
显示统计 下载 Patch 文件 下载 Diff 文件
  1. +1
    -1
      README.rst
  2. +1
    -0
      changelog.d/4229.feature
  3. +0
    -3
      debian/homeserver.yaml
  4. +0
    -7
      demo/demo.tls.dh
  5. +0
    -1
      docker/conf/homeserver.yaml
  6. +0
    -40
      synapse/config/tls.py
  7. +4
    -2
      synapse/crypto/context_factory.py
  8. +0
    -1
      tests/config/test_generate.py

+ 1
- 1
README.rst 查看文件

@@ -220,7 +220,7 @@ is configured to use TLS with a self-signed certificate. If you would like
to do initial test with a client without having to setup a reverse proxy,
you can temporarly use another certificate. (Note that a self-signed
certificate is fine for `Federation`_). You can do so by changing
``tls_certificate_path``, ``tls_private_key_path`` and ``tls_dh_params_path``
``tls_certificate_path`` and ``tls_private_key_path``
in ``homeserver.yaml``; alternatively, you can use a reverse-proxy, but be sure
to read `Using a reverse proxy with Synapse`_ when doing so.



+ 1
- 0
changelog.d/4229.feature 查看文件

@@ -0,0 +1 @@
Synapse's cipher string has been updated to require ECDH key exchange. Configuring and generating dh_params is no longer required, and they will be ignored.

+ 0
- 3
debian/homeserver.yaml 查看文件

@@ -9,9 +9,6 @@ tls_certificate_path: "/etc/matrix-synapse/homeserver.tls.crt"
# PEM encoded private key for TLS
tls_private_key_path: "/etc/matrix-synapse/homeserver.tls.key"

# PEM dh parameters for ephemeral keys
tls_dh_params_path: "/etc/matrix-synapse/homeserver.tls.dh"

# Don't bind to the https port
no_tls: False



+ 0
- 7
demo/demo.tls.dh 查看文件

@@ -1,9 +0,0 @@
2048-bit DH parameters taken from rfc3526
MIIBCAKCAQEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
5RXSJhiY+gUQFXKOWoqsqmj//////////wIBAg==

+ 0
- 1
docker/conf/homeserver.yaml 查看文件

@@ -4,7 +4,6 @@

tls_certificate_path: "/data/{{ SYNAPSE_SERVER_NAME }}.tls.crt"
tls_private_key_path: "/data/{{ SYNAPSE_SERVER_NAME }}.tls.key"
tls_dh_params_path: "/data/{{ SYNAPSE_SERVER_NAME }}.tls.dh"
no_tls: {{ "True" if SYNAPSE_NO_TLS else "False" }}
tls_fingerprints: []



+ 0
- 40
synapse/config/tls.py 查看文件

@@ -14,7 +14,6 @@
# limitations under the License.

import os
import subprocess
from hashlib import sha256

from unpaddedbase64 import encode_base64
@@ -23,8 +22,6 @@ from OpenSSL import crypto

from ._base import Config

GENERATE_DH_PARAMS = False


class TlsConfig(Config):
def read_config(self, config):
@@ -42,10 +39,6 @@ class TlsConfig(Config):
config.get("tls_private_key_path")
)

self.tls_dh_params_path = self.check_file(
config.get("tls_dh_params_path"), "tls_dh_params"
)

self.tls_fingerprints = config["tls_fingerprints"]

# Check that our own certificate is included in the list of fingerprints
@@ -72,7 +65,6 @@ class TlsConfig(Config):

tls_certificate_path = base_key_name + ".tls.crt"
tls_private_key_path = base_key_name + ".tls.key"
tls_dh_params_path = base_key_name + ".tls.dh"

return """\
# PEM encoded X509 certificate for TLS.
@@ -85,9 +77,6 @@ class TlsConfig(Config):
# PEM encoded private key for TLS
tls_private_key_path: "%(tls_private_key_path)s"

# PEM dh parameters for ephemeral keys
tls_dh_params_path: "%(tls_dh_params_path)s"

# Don't bind to the https port
no_tls: False

@@ -131,7 +120,6 @@ class TlsConfig(Config):
def generate_files(self, config):
tls_certificate_path = config["tls_certificate_path"]
tls_private_key_path = config["tls_private_key_path"]
tls_dh_params_path = config["tls_dh_params_path"]

if not self.path_exists(tls_private_key_path):
with open(tls_private_key_path, "wb") as private_key_file:
@@ -165,31 +153,3 @@ class TlsConfig(Config):
cert_pem = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)

certificate_file.write(cert_pem)

if not self.path_exists(tls_dh_params_path):
if GENERATE_DH_PARAMS:
subprocess.check_call([
"openssl", "dhparam",
"-outform", "PEM",
"-out", tls_dh_params_path,
"2048"
])
else:
with open(tls_dh_params_path, "w") as dh_params_file:
dh_params_file.write(
"2048-bit DH parameters taken from rfc3526\n"
"-----BEGIN DH PARAMETERS-----\n"
"MIIBCAKCAQEA///////////JD9qiIWjC"
"NMTGYouA3BzRKQJOCIpnzHQCC76mOxOb\n"
"IlFKCHmONATd75UZs806QxswKwpt8l8U"
"N0/hNW1tUcJF5IW1dmJefsb0TELppjft\n"
"awv/XLb0Brft7jhr+1qJn6WunyQRfEsf"
"5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT\n"
"mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVS"
"u57VKQdwlpZtZww1Tkq8mATxdGwIyhgh\n"
"fDKQXkYuNs474553LBgOhgObJ4Oi7Aei"
"j7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq\n"
"5RXSJhiY+gUQFXKOWoqsqmj/////////"
"/wIBAg==\n"
"-----END DH PARAMETERS-----\n"
)

+ 4
- 2
synapse/crypto/context_factory.py 查看文件

@@ -46,8 +46,10 @@ class ServerContextFactory(ContextFactory):
if not config.no_tls:
context.use_privatekey(config.tls_private_key)

context.load_tmp_dh(config.tls_dh_params_path)
context.set_cipher_list("!ADH:HIGH+kEDH:!AECDH:HIGH+kEECDH")
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
context.set_cipher_list(
"ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1"
)

def getContext(self):
return self._context


+ 0
- 1
tests/config/test_generate.py 查看文件

@@ -51,7 +51,6 @@ class ConfigGenerationTestCase(unittest.TestCase):
"lemurs.win.log.config",
"lemurs.win.signing.key",
"lemurs.win.tls.crt",
"lemurs.win.tls.dh",
"lemurs.win.tls.key",
]
),


撰写 预览
正在加载...
取消
保存