Implement TLS automatic certificate rotation

2019-02-19 09:37:15 +01:00 · 2019-02-19 09:37:15 +01:00 · 890e8ea2ab
commit 890e8ea2ab
parent 21e19159e0
2 changed files with 27 additions and 6 deletions
--- a/syncplay/protocols.py
+++ b/syncplay/protocols.py
@ -2,6 +2,7 @@
 import json
 import time
 from functools import wraps
+from os.path import getmtime

 from twisted.protocols.basic import LineReceiver
 from twisted.internet.interfaces import IHandshakeListener
@ -669,7 +670,9 @@ class SyncServerProtocol(JSONCommandProtocol):
    def handleTLS(self, message):
        inquiry = message["startTLS"] if "startTLS" in message else None
        if "send" in inquiry:
-            if not self.isLogged() and self._factory.options is not None:
+            if not self.isLogged() and self._factory.serverAcceptsTLS and self._factory.options is not None:
+                if self._factory.checkLastEditCertTime() > self.lastEditCertTime:
+                    self._factory.updateTLSContextFactory()
                self.sendTLS({"startTLS": "true"})
                self.transport.startTLS(self._factory.options)
            else:
--- a/syncplay/server.py
+++ b/syncplay/server.py
@ -208,28 +208,46 @@ class SyncFactory(Factory):
            watcher.setPlaylistIndex(room.getName(), room.getPlaylistIndex())

    def _allowTLSconnections(self, path):
+        self.options = self._createTLSContextFactory(path)
+        if self.options is not None:
+            self.serverAcceptsTLS = True
+        else:
+            self.serverAcceptsTLS = False
+            self.lastEditCertTime = None
+            print("TLS support is not enabled.")
+
+    def _createTLSContextFactory(self, path):
        try:
            privKey = open(path+'/privkey.pem', 'rt').read()
            certif = open(path+'/cert.pem', 'rt').read()
            chain = open(path+'/chain.pem', 'rt').read()

+            self.lastEditCertTime = os.path.getmtime(path+'/cert.pem')
+
            privKeyPySSL = crypto.load_privatekey(crypto.FILETYPE_PEM, privKey)
            certifPySSL = crypto.load_certificate(crypto.FILETYPE_PEM, certif)
            chainPySSL = [crypto.load_certificate(crypto.FILETYPE_PEM, chain)]

            cipherListString = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:"\
-	                           "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:"\
-	                           "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"
+                               "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:"\
+                               "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"
            accCiphers = ssl.AcceptableCiphers.fromOpenSSLCipherString(cipherListString)

            contextFactory = ssl.CertificateOptions(privateKey=privKeyPySSL, certificate=certifPySSL,
                                                    extraCertChain=chainPySSL, acceptableCiphers=accCiphers,
                                                    raiseMinimumTo=ssl.TLSVersion.TLSv1_2)
-            self.options = contextFactory
        except Exception as e:
-            self.options = None
            print(e)
-            print("TLS support is not enabled.")
+            contextFactory = None
+
+        return contextFactory
+
+    def checkLastEditCertTime(self):
+        return os.path.getmtime(self.certPath+'/cert.pem')
+
+    def updateTLSContextFactory(self):
+        self.options = self._createTLSContextFactory(self.certPath)
+


 class StatsRecorder(object):