Home Explore Help
Register Sign In
RISCI_ATOM
/
synapse
mirror of https://github.com/matrix-org/synapse.git
1
0
Fork 0
Files Issues 3 Wiki
Browse Source

Require ECDH key exchange & remove dh_params (#4429)

* remove dh_params and set better cipher string
Amber Brown 5 years ago
parent
83f335bedf
commit
23b0813599
8 changed files with 6 additions and 57 deletions
Split View Show Diff Stats
  1. 1 1
      README.rst
  2. 1 0
      changelog.d/4229.feature
  3. 0 3
      debian/homeserver.yaml
  4. 0 9
      demo/demo.tls.dh
  5. 0 1
      docker/conf/homeserver.yaml
  6. 0 40
      synapse/config/tls.py
  7. 4 2
      synapse/crypto/context_factory.py
  8. 0 1
      tests/config/test_generate.py

+ 1 - 1
README.rst
View File 

@@ -220,7 +220,7 @@ is configured to use TLS with a self-signed certificate. If you would like
 
 to do initial test with a client without having to setup a reverse proxy,
 
 you can temporarly use another certificate. (Note that a self-signed
 
 certificate is fine for `Federation`_). You can do so by changing
 
-``tls_certificate_path``, ``tls_private_key_path`` and ``tls_dh_params_path``
 
+``tls_certificate_path`` and ``tls_private_key_path``
 
 in ``homeserver.yaml``; alternatively, you can use a reverse-proxy, but be sure
 
 to read `Using a reverse proxy with Synapse`_ when doing so.

+ 1 - 0
changelog.d/4229.feature
View File 

@@ -0,0 +1 @@
 
+Synapse's cipher string has been updated to require ECDH key exchange. Configuring and generating dh_params is no longer required, and they will be ignored.

+ 0 - 3
debian/homeserver.yaml
View File 

@@ -9,9 +9,6 @@ tls_certificate_path: "/etc/matrix-synapse/homeserver.tls.crt"
 
 # PEM encoded private key for TLS
 
 tls_private_key_path: "/etc/matrix-synapse/homeserver.tls.key"
 
 
-# PEM dh parameters for ephemeral keys
 
-tls_dh_params_path: "/etc/matrix-synapse/homeserver.tls.dh"
 
-
 
 # Don't bind to the https port
 
 no_tls: False

+ 0 - 9
demo/demo.tls.dh
View File 

@@ -1,9 +0,0 @@
 
-2048-bit DH parameters taken from rfc3526
 
------BEGIN DH PARAMETERS-----
 
-MIIBCAKCAQEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
 
-IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
 
-awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
 
-mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
 
-fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
 
-5RXSJhiY+gUQFXKOWoqsqmj//////////wIBAg==
 
------END DH PARAMETERS-----

+ 0 - 1
docker/conf/homeserver.yaml
View File 

@@ -4,7 +4,6 @@
 
 
 tls_certificate_path: "/data/{{ SYNAPSE_SERVER_NAME }}.tls.crt"
 
 tls_private_key_path: "/data/{{ SYNAPSE_SERVER_NAME }}.tls.key"
 
-tls_dh_params_path: "/data/{{ SYNAPSE_SERVER_NAME }}.tls.dh"
 
 no_tls: {{ "True" if SYNAPSE_NO_TLS else "False" }}
 
 tls_fingerprints: []

+ 0 - 40
synapse/config/tls.py
View File 

@@ -14,7 +14,6 @@
 
 # limitations under the License.
 
 
 import os
 
-import subprocess
 
 from hashlib import sha256
 
 
 from unpaddedbase64 import encode_base64
 
@@ -23,8 +22,6 @@ from OpenSSL import crypto
 
 
 from ._base import Config
 
 
-GENERATE_DH_PARAMS = False
 
-
 
 
 class TlsConfig(Config):
 
     def read_config(self, config):
 
@@ -42,10 +39,6 @@ class TlsConfig(Config):
 
                 config.get("tls_private_key_path")
 
             )
 
 
-        self.tls_dh_params_path = self.check_file(
 
-            config.get("tls_dh_params_path"), "tls_dh_params"
 
-        )
 
-
 
         self.tls_fingerprints = config["tls_fingerprints"]
 
 
         # Check that our own certificate is included in the list of fingerprints
 
@@ -72,7 +65,6 @@ class TlsConfig(Config):
 
 
         tls_certificate_path = base_key_name + ".tls.crt"
 
         tls_private_key_path = base_key_name + ".tls.key"
 
-        tls_dh_params_path = base_key_name + ".tls.dh"
 
 
         return """\
 
         # PEM encoded X509 certificate for TLS.
 
@@ -85,9 +77,6 @@ class TlsConfig(Config):
 
         # PEM encoded private key for TLS
 
         tls_private_key_path: "%(tls_private_key_path)s"
 
 
-        # PEM dh parameters for ephemeral keys
 
-        tls_dh_params_path: "%(tls_dh_params_path)s"
 
-
 
         # Don't bind to the https port
 
         no_tls: False
 
 
@@ -131,7 +120,6 @@ class TlsConfig(Config):
 
     def generate_files(self, config):
 
         tls_certificate_path = config["tls_certificate_path"]
 
         tls_private_key_path = config["tls_private_key_path"]
 
-        tls_dh_params_path = config["tls_dh_params_path"]
 
 
         if not self.path_exists(tls_private_key_path):
 
             with open(tls_private_key_path, "wb") as private_key_file:
 
@@ -165,31 +153,3 @@ class TlsConfig(Config):
 
                 cert_pem = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
 
 
                 certificate_file.write(cert_pem)
 
-
 
-        if not self.path_exists(tls_dh_params_path):
 
-            if GENERATE_DH_PARAMS:
 
-                subprocess.check_call([
 
-                    "openssl", "dhparam",
 
-                    "-outform", "PEM",
 
-                    "-out", tls_dh_params_path,
 
-                    "2048"
 
-                ])
 
-            else:
 
-                with open(tls_dh_params_path, "w") as dh_params_file:
 
-                    dh_params_file.write(
 
-                        "2048-bit DH parameters taken from rfc3526\n"
 
-                        "-----BEGIN DH PARAMETERS-----\n"
 
-                        "MIIBCAKCAQEA///////////JD9qiIWjC"
 
-                        "NMTGYouA3BzRKQJOCIpnzHQCC76mOxOb\n"
 
-                        "IlFKCHmONATd75UZs806QxswKwpt8l8U"
 
-                        "N0/hNW1tUcJF5IW1dmJefsb0TELppjft\n"
 
-                        "awv/XLb0Brft7jhr+1qJn6WunyQRfEsf"
 
-                        "5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT\n"
 
-                        "mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVS"
 
-                        "u57VKQdwlpZtZww1Tkq8mATxdGwIyhgh\n"
 
-                        "fDKQXkYuNs474553LBgOhgObJ4Oi7Aei"
 
-                        "j7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq\n"
 
-                        "5RXSJhiY+gUQFXKOWoqsqmj/////////"
 
-                        "/wIBAg==\n"
 
-                        "-----END DH PARAMETERS-----\n"
 
-                    )

+ 4 - 2
synapse/crypto/context_factory.py
View File 

@@ -46,8 +46,10 @@ class ServerContextFactory(ContextFactory):
 
         if not config.no_tls:
 
             context.use_privatekey(config.tls_private_key)
 
 
-        context.load_tmp_dh(config.tls_dh_params_path)
 
-        context.set_cipher_list("!ADH:HIGH+kEDH:!AECDH:HIGH+kEECDH")
 
+        # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
 
+        context.set_cipher_list(
 
+            "ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1"
 
+        )
 
 
     def getContext(self):
 
         return self._context

+ 0 - 1
tests/config/test_generate.py
View File 

@@ -51,7 +51,6 @@ class ConfigGenerationTestCase(unittest.TestCase):
 
                     "lemurs.win.log.config",
 
                     "lemurs.win.signing.key",
 
                     "lemurs.win.tls.crt",
 
-                    "lemurs.win.tls.dh",
 
                     "lemurs.win.tls.key",
 
                 ]
 
             ),