Better TLS certificate chain support #243
Conversation
According to RFC 5246, nginx docs etc. we can expect the server certificate (leaf) to be the first one in the fullchain.pem file. This is indeed the case for all Let's Encrypt certs that I've seen so far. Also adjust mechanism that checks for updated certificates: now consider the most recent timestamp of any supported .pem file.
|
Hi @Tremolo4, your code looks like a clever way of circumventing the limitations of Twisted. However, when it comes to encryption our philosophy is to avoid custom implementations as much as possible. We do not have the resources and expertise to review or maintain a custom implementation. For all we know there was a reason why Twisted did things the way they did, or the specific implementation might work fine with the current version of Twisted but might be problematic in a future version. As such, our view is that if the issue raised in #242 is to be resolved then it would have to be resolved upstream by Twisted. You can try working with the Twisted team directly on this, but it is up to them which development efforts they wish to prioritise. Until it is fixed upstream our position is that the matter is closed. However, we recognise that some users will experience the same issue as you, so if you can provide guidance on how people can manually split the fullchain.pem file then we would be happy to add it to the guide at https://github.com/Syncplay/syncplay/wiki/TLS-support |
|
That's fair, thanks for the response. In general I completely agree with your philosophy about leaving encryption to competent implementations as much as possible. However, I personally think that my PR doesn't interfere with that philosophy, since we're still fully relying on library code to guarantee the security:
But I guess it's a matter of interpretation and you have more leverage here :D Just one more point: Currently, it is impossible to use TLS with syncplay if your certificate requires more than one intermediate certificate (i.e., Anyway, thanks a lot for your work on syncplay and thanks for taking the time to discuss this! |
Thanks for raising this issue. While we suspected this condition, were not fully aware of it and we will try to address this in the future.
I tend to disagree with the first statement. As you said, the issue is that A potential solution to the latter issue and to the issue originally described by this PR could be to use another external library (e.g. While this approach seems appealing in principle, I remember well that implementing TLS for Syncplay required a lot of trial and error, a lot of failed attempts, and a lot of compromises between supported features and reliability. Hence, for the moment I would tend to maintain the current TLS code as much as possible, while perhaps experimenting privately with |
You're completely right, I stand corrected. Let's say the two APIs (PySSL and twisted) are not fully compatible / are incomplete for the desired use case. When looking into how to fix this situation, I saw hynek's Edit (continuation):
I definitely believe that.
From my point of view, all the complex parts of the TLS code are already working perfectly. The certificate chain handling from this PR just a tiny bonus part from a technical point of view -- trivial in comparison to what is already there. I can't see it turning out to be hard to maintain. |
This PR adds support for
fullchain.pemfiles, i.e., where the main/leaf server certificate is included in the chain file.Additionally,
chain.pemorfullchain.pemfiles with more than one intermediate certificate are now supported.The PEM splitting function might look a bit hacky, but it should be perfectly safe and doesn't require any dependencies.
I've changed the last-edit-check to use the most recent timestamp out of all the four
.pemfiles.Hope this is useful! (it is for me ;))