-
Notifications
You must be signed in to change notification settings - Fork 223
TLS support
From version X.X.X Syncplay is starting to support Opportunistic TLS to provide a secure and encrypted connection between the clients and the servers, as in modern https-based websites.
Why Opportunistic TLS? To provide complete retro-compatibility, the connection starts using the usual protocol (TCP), then, if both the client and the server supports this feature, it switches to the secure protocol TLS before transmitting any data. You will be notified of this switch from the user interface of your client (talk here about the lock icon, maybe?). If either the client or the server does not support TLS, the connection will continue to use an unencrypted channel, as before the introduction of this feature.
The following contains some information about the client- and server-side support of this feature.
Our plan is to gradually roll out the client support for TLS in the following releases for all the platforms.
Packaged binaries of version X.X.X do not support TLS due to an incompatibility between py2exe, the module that we use to create the executable for Syncplay, and cryptography, one of the Python libraries required by this feature. Windows users can still connect to TLS-enabled servers but their clients will not negotiate encrypted connections. We plan to introduce and enable by default Opportunistic TLS on Windows in the upcoming releases.
The packaged .app of version X.X.X supports Opportunistic TLS. When connecting to any server, the client will try to negotiate a TLS connection, and will fall back to an unencrypted channel when that feature is not available. We encourage all the macOS users to update their client and try out this feature on our public servers.
Starting from xxxxxxx (commit hash), users on git master can use Opportunistic TLS in their clients. To enable this feature, the twisted[tls] and certifi Python modules are needed (they can be installed either via pip or the OS package manager). Syncplay will not attempt a TLS connection if one of the dependencies is missing from the system.
All our public servers now support Opportunistic TLS. Users are encouraged to upgrade their client to test this feature. (crossing to be removed once the servers are up and running)
First of all, the twisted[tls] and certifi Python modules are required to run a server that supports Opportunistic TLS.
From version X.X.X a --tls [path] option has been added to syncplayServer.py. The folder specified in path has to contain the certificates needed to sign and establish a verifiable TLS connection. Syncplay does not support self-signed certificates, as they cannot be independently verified by the client. You can easily obtain CA signed certificates from Let's Encrypt for free. For a successful verification, it is mandatory that the certificate is issued for the same hostname used by the server.
In addition, Syncplay offers the Diffie-Hellman based key exchange to provide perfect forward secrecy (see here for further information). This features require DH key generation parameters that can be created from the server shell by running
openssl dhparam -out dh_param_1024.pem -2 1024 as detailed here.
When executed with the --tls [path] option, the server expects four files in the folder indicated in path:
-
cert.pem: the certificate issued by the CA, -
privkey.pem: the private key that is linked to the certificate, -
chain.pem: the additional intermediate certificate or certificates that web browsers will need in order to validate the server certificate, -
dh_param_1024.pem: the DH key generation parameters described before.
If any of these files or of the required libraries is missing, the server will start without the Opportunistic TLS support, providing an error message and a warning: TLS support is not enabled.