-
Notifications
You must be signed in to change notification settings - Fork 216
TLS support
From version 1.6.3 Syncplay is starting to support Opportunistic TLS to provide a secure and encrypted connection between the clients and the server, as in modern https-based websites.
Why Opportunistic TLS? To provide complete retro-compatibility, the connection starts using the usual protocol (TCP) then, if both the client and the server support this feature, it switches to the secure protocol TLS before transmitting any data. You will be notified of this switch from the user interface of your client. If either the client or the server does not support TLS, the connection will continue to use an unencrypted channel, as before the introduction of this feature.
The following contains some information about the client- and server-side support of this feature.
Version 1.6.4 introduces the support for Opportunistic TLS on Windows. When connecting to any server, the client will try to negotiate a TLS connection and will fall back to an unencrypted channel when that feature is not available. We encourage all the Windows users to upgrade their clients and try out this feature on our public servers.
The packaged .app for macOS supports Opportunistic TLS since version 1.6.3.
Starting from 32085f8, users on git master
can use Opportunistic TLS in their clients. To enable this feature, the twisted[tls]
and certifi
Python modules are needed, and they can be installed using pip
. Alternatively, the following packages need to be installed from the OS package manager to enable Opportunistic TLS:
'certifi' >= 2018.11.29,
'pyopenssl >= 16.0.0',
'service_identity',
'idna >= 0.6, != 2.3'
Syncplay will not attempt a TLS connection if one of the dependencies is missing from the system.
All our public servers now support Opportunistic TLS. Users are encouraged to upgrade their clients to test this feature.
To enable the server support of Opportunistic TLS, the twisted[tls]
and certifi
Python modules are required. These modules can be installed using pip
. Alternatively, the following packages need to be installed from the OS package manager:
'certifi' >= 2018.11.29,
'pyopenssl >= 16.0.0',
'service_identity',
'idna >= 0.6, != 2.3'
From version 1.6.3 a --tls [path]
option has been added to syncplayServer.py
. The folder specified in path
has to contain the certificates needed to sign and establish a verifiable TLS connection. Syncplay does not support self-signed certificates, as they cannot be independently verified by the client. You can easily obtain CA signed certificates from Let's Encrypt for free. For a successful verification, it is mandatory that the certificate is issued for the same hostname used by the server.
When executed with the --tls [path]
option, the server expects three files in the folder indicated in path
(we use the certbot
naming scheme detailed here):
-
cert.pem
: the certificate issued by the CA, -
privkey.pem
: the private key for the certificate, -
chain.pem
: the additional intermediate certificates that clients will need in order to validate the server certificate.
If any of these files or the required libraries is missing, the server will start without the Opportunistic TLS support, providing an error message and a warning: TLS support is not enabled
.
NOTE: please ensure that your certificates are valid for your domain name. If the client is unable to verify the certificates, it will prevent the connection entirely. In this case, there will be no attempt to establish an unencrypted connection, imitating the behavior of modern browsers. We use the certifi
store (link) to validate certificates. If you experience troubles in making clients validate your certificates, we encourage you to disable TLS on your server and privately test them before enabling this feature again.
Syncplay supports automatic certificate reloading, allowing to update the certificates and the key without rebooting the server. This facilitates the management of servers even when using short-lived certificates. syncplayServer.py
loads the certificates in memory at its launch, and also stores the last modification time of the cert.pem
file. Every time the server receives a connection, it checks for the last modification time of the cert.pem
file. If the server finds a difference between this modification time and the previously stored value, it automatically loads all the new certificates from path
, starting to serve them to all the subsequent incoming connections. Existing connections will not be perturbed by this reloading and will continue to be encrypted and secure.
Hence, to update the certificates while the server is running, you only need to copy the newly issued certificates in path
, overwriting the old files.