From 086f6f27d409520e71556cad4707cb2f70476e20 Mon Sep 17 00:00:00 2001
From: Richard van der Hoff <richard@matrix.org>
Date: Mon, 11 Feb 2019 21:00:41 +0000
Subject: [PATCH 1/2] Logging improvements around TLS certs

Log which file we're reading keys and certs from, and refactor the code a bit
in preparation for other work
---
 changelog.d/4615.misc |  1 +
 synapse/app/_base.py  |  6 ++---
 synapse/config/tls.py | 54 ++++++++++++++++++++++++++++---------------
 3 files changed, 39 insertions(+), 22 deletions(-)
 create mode 100644 changelog.d/4615.misc

diff --git a/changelog.d/4615.misc b/changelog.d/4615.misc
new file mode 100644
index 000000000000..c7266fcfc78b
--- /dev/null
+++ b/changelog.d/4615.misc
@@ -0,0 +1 @@
+Logging improvements around TLS certs
diff --git a/synapse/app/_base.py b/synapse/app/_base.py
index e1fc1afd5b17..6d72de1daad7 100644
--- a/synapse/app/_base.py
+++ b/synapse/app/_base.py
@@ -213,13 +213,11 @@ def refresh_certificate(hs):
     Refresh the TLS certificates that Synapse is using by re-reading them from
     disk and updating the TLS context factories to use them.
     """
-    logging.info("Loading certificate from disk...")
     hs.config.read_certificate_from_disk()
     hs.tls_server_context_factory = context_factory.ServerContextFactory(hs.config)
-    logging.info("Certificate loaded.")
 
     if hs._listening_services:
-        logging.info("Updating context factories...")
+        logger.info("Updating context factories...")
         for i in hs._listening_services:
             # When you listenSSL, it doesn't make an SSL port but a TCP one with
             # a TLS wrapping factory around the factory you actually want to get
@@ -234,7 +232,7 @@ def refresh_certificate(hs):
                     False,
                     i.factory.wrappedFactory
                 )
-        logging.info("Context factories updated.")
+        logger.info("Context factories updated.")
 
 
 def start(hs, listeners=None):
diff --git a/synapse/config/tls.py b/synapse/config/tls.py
index 9fcc79816dc0..76d2add4fe43 100644
--- a/synapse/config/tls.py
+++ b/synapse/config/tls.py
@@ -25,7 +25,7 @@
 
 from synapse.config._base import Config
 
-logger = logging.getLogger()
+logger = logging.getLogger(__name__)
 
 
 class TlsConfig(Config):
@@ -110,20 +110,10 @@ def read_certificate_from_disk(self):
         """
         Read the certificates from disk.
         """
-        self.tls_certificate = self.read_tls_certificate(self.tls_certificate_file)
-
-        # Check if it is self-signed, and issue a warning if so.
-        if self.tls_certificate.get_issuer() == self.tls_certificate.get_subject():
-            warnings.warn(
-                (
-                    "Self-signed TLS certificates will not be accepted by Synapse 1.0. "
-                    "Please either provide a valid certificate, or use Synapse's ACME "
-                    "support to provision one."
-                )
-            )
+        self.tls_certificate = self.read_tls_certificate()
 
         if not self.no_tls:
-            self.tls_private_key = self.read_tls_private_key(self.tls_private_key_file)
+            self.tls_private_key = self.read_tls_private_key()
 
         self.tls_fingerprints = list(self._original_tls_fingerprints)
 
@@ -250,10 +240,38 @@ def default_config(self, config_dir_path, server_name, **kwargs):
             % locals()
         )
 
-    def read_tls_certificate(self, cert_path):
-        cert_pem = self.read_file(cert_path, "tls_certificate")
-        return crypto.load_certificate(crypto.FILETYPE_PEM, cert_pem)
+    def read_tls_certificate(self):
+        """Reads the TLS certificate from the configured file, and returns it
+
+        Also checks if it is self-signed, and warns if so
+
+        Returns:
+            OpenSSL.crypto.X509: the certificate
+        """
+        cert_path = self.tls_certificate_file
+        logger.info("Loading TLS certificate from %s", cert_path)
+        cert_pem = self.read_file(cert_path, "tls_certificate_path")
+        cert = crypto.load_certificate(crypto.FILETYPE_PEM, cert_pem)
+
+        # Check if it is self-signed, and issue a warning if so.
+        if cert.get_issuer() == cert.get_subject():
+            warnings.warn(
+                (
+                    "Self-signed TLS certificates will not be accepted by Synapse 1.0. "
+                    "Please either provide a valid certificate, or use Synapse's ACME "
+                    "support to provision one."
+                )
+            )
+
+        return cert
 
-    def read_tls_private_key(self, private_key_path):
-        private_key_pem = self.read_file(private_key_path, "tls_private_key")
+    def read_tls_private_key(self):
+        """Reads the TLS private key from the configured file, and returns it
+
+        Returns:
+            OpenSSL.crypto.PKey: the private key
+        """
+        private_key_path = self.tls_private_key_file
+        logger.info("Loading TLS key from %s", private_key_path)
+        private_key_pem = self.read_file(private_key_path, "tls_private_key_path")
         return crypto.load_privatekey(crypto.FILETYPE_PEM, private_key_pem)

From 9645728619828fda050fa08aaa25628f5db5d775 Mon Sep 17 00:00:00 2001
From: Richard van der Hoff <richard@matrix.org>
Date: Mon, 11 Feb 2019 21:30:59 +0000
Subject: [PATCH 2/2] Don't create server contexts when TLS is disabled

we aren't going to use them anyway.
---
 changelog.d/4617.misc             | 1 +
 synapse/app/_base.py              | 5 +++++
 synapse/crypto/context_factory.py | 4 +---
 3 files changed, 7 insertions(+), 3 deletions(-)
 create mode 100644 changelog.d/4617.misc

diff --git a/changelog.d/4617.misc b/changelog.d/4617.misc
new file mode 100644
index 000000000000..6d751865c959
--- /dev/null
+++ b/changelog.d/4617.misc
@@ -0,0 +1 @@
+Don't create server contexts when TLS is disabled
diff --git a/synapse/app/_base.py b/synapse/app/_base.py
index 6d72de1daad7..6b3cb61ae9fc 100644
--- a/synapse/app/_base.py
+++ b/synapse/app/_base.py
@@ -214,6 +214,11 @@ def refresh_certificate(hs):
     disk and updating the TLS context factories to use them.
     """
     hs.config.read_certificate_from_disk()
+
+    if hs.config.no_tls:
+        # nothing else to do here
+        return
+
     hs.tls_server_context_factory = context_factory.ServerContextFactory(hs.config)
 
     if hs._listening_services:
diff --git a/synapse/crypto/context_factory.py b/synapse/crypto/context_factory.py
index 286ad8010015..85f2848fb183 100644
--- a/synapse/crypto/context_factory.py
+++ b/synapse/crypto/context_factory.py
@@ -43,9 +43,7 @@ def configure_context(context, config):
             logger.exception("Failed to enable elliptic curve for TLS")
         context.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)
         context.use_certificate_chain_file(config.tls_certificate_file)
-
-        if not config.no_tls:
-            context.use_privatekey(config.tls_private_key)
+        context.use_privatekey(config.tls_private_key)
 
         # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
         context.set_cipher_list(