startTLS: correct certificate loading and validation

2019-02-05 16:13:47 +01:00 · 2019-02-05 16:13:47 +01:00 · a055e3b881
commit a055e3b881
parent 063a191e99
2 changed files with 22 additions and 17 deletions
--- a/syncplay/client.py
+++ b/syncplay/client.py
@ -1,7 +1,9 @@

 import ast
+import certifi
 import collections
 import hashlib
+import os
 import os.path
 import random
 import re
@ -24,6 +26,8 @@ from syncplay.messages import getMissingStrings, getMessage
 from syncplay.protocols import SyncClientProtocol
 from syncplay.utils import isMacOS

+os.environ['SSL_CERT_FILE'] = certifi.where()
+

 class SyncClientFactory(ClientFactory):
    def __init__(self, client, retry=constants.RECONNECT_RETRIES):
@ -708,9 +712,7 @@ class SyncplayClient(object):
        port = int(port)
        self._endpoint = HostnameEndpoint(reactor, host, port)
        try:
-            with open('cert/server.crt') as cert_file:
-                trust_root = Certificate.loadPEM(cert_file.read())
-            self.protocolFactory.options = optionsForClientTLS(hostname=host, trustRoot = trust_root)
+            self.protocolFactory.options = optionsForClientTLS(hostname=host)
        except Exception as e:
            self.protocolFactory.options = None
            self._serverSupportsTLS = False
--- a/syncplay/server.py
+++ b/syncplay/server.py
@ -51,20 +51,7 @@ class SyncFactory(Factory):
            self._statsDbHandle = None
        self.options = None
        if tlsCertPath is not None:
-            try:
-                privkey=open(tlsCertPath+'/privkey.pem', 'rt').read()
-                certif=open(tlsCertPath+'/cert.pem', 'rt').read()
-                chain=open(tlsCertPath+'/chain.pem', 'rt').read()
-
-                privkeypyssl=crypto.load_privatekey(crypto.FILETYPE_PEM,privkey)
-                certifpyssl=crypto.load_certificate(crypto.FILETYPE_PEM,certif)
-                chainpyssl=[crypto.load_certificate(crypto.FILETYPE_PEM,chain)]
-
-                contextFactory=ssl.CertificateOptions(privateKey=privkeypyssl,certificate=certifpyssl,extraCertChain=chainpyssl)
-                self.options = contextFactory
-            except Exception as e:
-	            print(e)
-	            print("Cannot import certificate. TLS support not enabled.")
+            self._allowTLSconnections(tlsCertPath)

    def buildProtocol(self, addr):
        return SyncServerProtocol(self)
@ -211,6 +198,22 @@ class SyncFactory(Factory):
        else:
            watcher.setPlaylistIndex(room.getName(), room.getPlaylistIndex())

+    def _allowTLSconnections(path):
+        try:
+            privkey = open(path+'/privkey.pem', 'rt').read()
+            certif = open(path+'/cert.pem', 'rt').read()
+            chain = open(path+'/chain.pem', 'rt').read()
+
+            privkeypyssl = crypto.load_privatekey(crypto.FILETYPE_PEM, privkey)
+            certifpyssl = crypto.load_certificate(crypto.FILETYPE_PEM, certif)
+            chainpyssl = [crypto.load_certificate(crypto.FILETYPE_PEM, chain)]
+
+            contextFactory = ssl.CertificateOptions(privateKey=privkeypyssl, certificate=certifpyssl, extraCertChain=chainpyssl)
+            self.options = contextFactory
+        except Exception as e:
+            print(e)
+            print("Cannot import certificates. TLS support not enabled.")
+

 class StatsRecorder(object):
    def __init__(self, dbHandle, roomManager):