Don't create server contexts when TLS is disabled

we aren't going to use them anyway.
6 years ago · 9645728619
parent 086f6f27d4
commit 9645728619
3 changed files with 7 additions and 3 deletions
--- a/changelog.d/4617.misc
+++ b/changelog.d/4617.misc
@ -0,0 +1 @@
+Don't create server contexts when TLS is disabled
--- a/synapse/app/_base.py
+++ b/synapse/app/_base.py
@ -214,6 +214,11 @@ def refresh_certificate(hs):
    disk and updating the TLS context factories to use them.
    """
    hs.config.read_certificate_from_disk()
+
+    if hs.config.no_tls:
+        # nothing else to do here
+        return
+
    hs.tls_server_context_factory = context_factory.ServerContextFactory(hs.config)

    if hs._listening_services:
--- a/synapse/crypto/context_factory.py
+++ b/synapse/crypto/context_factory.py
@ -43,9 +43,7 @@ class ServerContextFactory(ContextFactory):
            logger.exception("Failed to enable elliptic curve for TLS")
        context.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)
        context.use_certificate_chain_file(config.tls_certificate_file)
-
-        if not config.no_tls:
-            context.use_privatekey(config.tls_private_key)
+        context.use_privatekey(config.tls_private_key)

        # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        context.set_cipher_list(
				`@ -0,0 +1 @@`
				`Don't create server contexts when TLS is disabled`