-
Notifications
You must be signed in to change notification settings - Fork 216
TLS support
From version X.X.X Syncplay is starting to support Opportunistic TLS to provide a secure and encrypted connection between the clients and the server, as in modern https-based websites.
Why Opportunistic TLS? To provide complete retro-compatibility, the connection starts using the usual protocol (TCP) then, if both the client and the server support this feature, it switches to the secure protocol TLS before transmitting any data. You will be notified of this switch from the user interface of your client. If either the client or the server does not support TLS, the connection will continue to use an unencrypted channel, as before the introduction of this feature.
The following contains some information about the client- and server-side support of this feature.
Our plan is to gradually roll out the client support for TLS in the following releases for all the platforms.
Packaged binaries of version X.X.X do not support TLS due to an incompatibility between py2exe (the module that we use to create the executable for Syncplay) and cryptography (one of the Python libraries required by this feature). Windows users can still connect to TLS-enabled servers, but their clients will not negotiate encrypted connections. We plan to introduce Opportunistic TLS on Windows in a future release.
The packaged .app of version X.X.X supports Opportunistic TLS. When connecting to any server, the client will try to negotiate a TLS connection, and will fall back to an unencrypted channel when that feature is not available. We encourage all the macOS users to upgrade their clients and try out this feature on our public servers.
Starting from xxxxxxx (commit hash), users on git master can use Opportunistic TLS in their clients. To enable this feature, the twisted[tls] and certifi Python modules are needed (they can be installed either via pip or the OS package manager). Syncplay will not attempt a TLS connection if one of the dependencies is missing from the system.
All our public servers now support Opportunistic TLS. Users are encouraged to upgrade their clients to test this feature. (crossing to be removed once the servers are up and running)
First of all, the twisted[tls] and certifi Python modules are required to run a server that supports Opportunistic TLS.
From version X.X.X a --tls [path] option has been added to syncplayServer.py. The folder specified in path has to contain the certificates needed to sign and establish a verifiable TLS connection. Syncplay does not support self-signed certificates, as they cannot be independently verified by the client. You can easily obtain CA signed certificates from Let's Encrypt for free. For a successful verification, it is mandatory that the certificate is issued for the same hostname used by the server.
When executed with the --tls [path] option, the server expects three files in the folder indicated in path (we use the certbot naming scheme detailed here):
-
cert.pem: the certificate issued by the CA, -
privkey.pem: the private key for the certificate, -
chain.pem: the additional intermediate certificates that clients will need in order to validate the server certificate.
If any of these files or the required libraries is missing, the server will start without the Opportunistic TLS support, providing an error message and a warning: TLS support is not enabled.
NOTE: please ensure that your certificates are valid for your domain name. If the client is unable to verify the certificates, it will prevent the connection entirely. In this case, there will be no attempt to establish an unencrypted connection, imitating the behavior of modern browsers. We use the certifi store (link) to validate certificates. If you experience troubles in making clients validate your certificates, we encourage you to disable TLS on your server and privately test them before enabling this feature again.