startTLS: correct certificate loading and validation

2019-02-05 16:13:47 +01:00 · 2019-02-05 16:13:47 +01:00 · 07fd1434ba
commit 07fd1434ba
parent dc5c63a57c
2 changed files with 8 additions and 25 deletions
--- a/syncplay/client.py
+++ b/syncplay/client.py
@ -1,5 +1,6 @@

 import ast
+import certifi
 import collections
 import hashlib
 import os
@ -32,6 +33,8 @@ from syncplay.messages import getMissingStrings, getMessage
 from syncplay.protocols import SyncClientProtocol
 from syncplay.utils import isMacOS

+os.environ['SSL_CERT_FILE'] = certifi.where()
+

 class SyncClientFactory(ClientFactory):
    def __init__(self, client, retry=constants.RECONNECT_RETRIES):
@ -716,9 +719,7 @@ class SyncplayClient(object):
        port = int(port)
        self._endpoint = HostnameEndpoint(reactor, host, port)
        try:
-            with open('cert/server.crt') as cert_file:
-                trust_root = Certificate.loadPEM(cert_file.read())
-            self.protocolFactory.options = optionsForClientTLS(hostname=host, trustRoot = trust_root)
+            self.protocolFactory.options = optionsForClientTLS(hostname=host)
        except Exception as e:
            self.protocolFactory.options = None
            self._serverSupportsTLS = False
--- a/syncplay/server.py
+++ b/syncplay/server.py
@ -58,20 +58,7 @@ class SyncFactory(Factory):
            self._statsDbHandle = None
        self.options = None
        if tlsCertPath is not None:
-            try:
-                privkey=open(tlsCertPath+'/privkey.pem', 'rt').read()
-                certif=open(tlsCertPath+'/cert.pem', 'rt').read()
-                chain=open(tlsCertPath+'/chain.pem', 'rt').read()
-
-                privkeypyssl=crypto.load_privatekey(crypto.FILETYPE_PEM,privkey)
-                certifpyssl=crypto.load_certificate(crypto.FILETYPE_PEM,certif)
-                chainpyssl=[crypto.load_certificate(crypto.FILETYPE_PEM,chain)]
-
-                contextFactory=ssl.CertificateOptions(privateKey=privkeypyssl,certificate=certifpyssl,extraCertChain=chainpyssl)
-                self.options = contextFactory
-            except Exception as e:
-	            print(e)
-	            print("Cannot import certificate. TLS support not enabled.")
+            self._allowTLSconnections(tlsCertPath)

    def buildProtocol(self, addr):
        return SyncServerProtocol(self)
@ -218,7 +205,7 @@ class SyncFactory(Factory):
        else:
            watcher.setPlaylistIndex(room.getName(), room.getPlaylistIndex())

-    def _allowTLSconnections(self, path):
+    def _allowTLSconnections(path):
        try:
            privkey = open(path+'/privkey.pem', 'rt').read()
            certif = open(path+'/cert.pem', 'rt').read()
@ -228,16 +215,11 @@ class SyncFactory(Factory):
            certifpyssl = crypto.load_certificate(crypto.FILETYPE_PEM, certif)
            chainpyssl = [crypto.load_certificate(crypto.FILETYPE_PEM, chain)]

-            dhFilePath = FilePath(path+'/dh_param.pem')
-            dhParams = ssl.DiffieHellmanParameters.fromFile(dhFilePath)
-
-            contextFactory = ssl.CertificateOptions(privateKey=privkeypyssl, certificate=certifpyssl,
-                                                    extraCertChain=chainpyssl, dhParameters=dhParams,
-                                                    raiseMinimumTo=ssl.TLSVersion.TLSv1_2)
+            contextFactory = ssl.CertificateOptions(privateKey=privkeypyssl, certificate=certifpyssl, extraCertChain=chainpyssl)
            self.options = contextFactory
        except Exception as e:
            print(e)
-            print("TLS support is not enabled.")
+            print("Cannot import certificates. TLS support not enabled.")


 class StatsRecorder(object):