Skip to content

TLS support

Alberto Sottile edited this page Feb 26, 2019 · 14 revisions

From version 1.6.3 Syncplay is starting to support Opportunistic TLS to provide a secure and encrypted connection between the clients and the server, as in modern https-based websites.

Why Opportunistic TLS? To provide complete retro-compatibility, the connection starts using the usual protocol (TCP) then, if both the client and the server support this feature, it switches to the secure protocol TLS before transmitting any data. You will be notified of this switch from the user interface of your client. If either the client or the server does not support TLS, the connection will continue to use an unencrypted channel, as before the introduction of this feature.

The following contains some information about the client- and server-side support of this feature.

Client

Our plan is to gradually roll out the client support for TLS in the following releases for all the platforms.

Windows

Packaged binaries of version 1.6.3 do not support TLS due to an incompatibility between py2exe (the module that we use to create the executable for Syncplay) and cryptography (one of the Python libraries required by this feature). Windows users can still connect to TLS-enabled servers, but their clients will not negotiate encrypted connections. We plan to introduce Opportunistic TLS on Windows in a future release.

macOS

The packaged .app of version 1.6.3 supports Opportunistic TLS. When connecting to any server, the client will try to negotiate a TLS connection, and will fall back to an unencrypted channel when that feature is not available. We encourage all the macOS users to upgrade their clients and try out this feature on our public servers.

Linux/*BSD

Starting from 32085f8, users on git master can use Opportunistic TLS in their clients. To enable this feature, the twisted[tls] and certifi Python modules are needed, and they can be installed using pip. Alternatively, the following packages need to be installed from the OS package manager to enable Opportunistic TLS:

'certifi' >= 2018.11.29,
'pyopenssl >= 16.0.0',
'service_identity',
'idna >= 0.6, != 2.3'

Syncplay will not attempt a TLS connection if one of the dependencies is missing from the system.

Server

All our public servers now support Opportunistic TLS. Users are encouraged to upgrade their clients to test this feature.

How can I support Opportunistic TLS in my server?

To enable the server support of Opportunistic TLS, the twisted[tls] and certifi Python modules are required. These modules can be installed using pip. Alternatively, the following packages need to be installed from the OS package manager:

'certifi' >= 2018.11.29,
'pyopenssl >= 16.0.0',
'service_identity',
'idna >= 0.6, != 2.3'

From version 1.6.3 a --tls [path] option has been added to syncplayServer.py. The folder specified in path has to contain the certificates needed to sign and establish a verifiable TLS connection. Syncplay does not support self-signed certificates, as they cannot be independently verified by the client. You can easily obtain CA signed certificates from Let's Encrypt for free. For a successful verification, it is mandatory that the certificate is issued for the same hostname used by the server.

When executed with the --tls [path] option, the server expects three files in the folder indicated in path (we use the certbot naming scheme detailed here):

  • cert.pem: the certificate issued by the CA,
  • privkey.pem: the private key for the certificate,
  • chain.pem: the additional intermediate certificates that clients will need in order to validate the server certificate.

If any of these files or the required libraries is missing, the server will start without the Opportunistic TLS support, providing an error message and a warning: TLS support is not enabled.

NOTE: please ensure that your certificates are valid for your domain name. If the client is unable to verify the certificates, it will prevent the connection entirely. In this case, there will be no attempt to establish an unencrypted connection, imitating the behavior of modern browsers. We use the certifi store (link) to validate certificates. If you experience troubles in making clients validate your certificates, we encourage you to disable TLS on your server and privately test them before enabling this feature again.

Update the TLS certificates

Syncplay supports automatic certificate reloading, allowing to update the certificates and the key without rebooting the server. This facilitates the management of servers even when using short-lived certificates. syncplayServer.py loads the certificates in memory at its launch, and also stores the last modification time of the cert.pem file. Every time the server receives a connection, it checks for the last modification time of the cert.pem file. If the server finds a difference between this modification time and the previously stored value, it automatically loads all the new certificates from path, starting to serve them to all the subsequent incoming connections. Existing connections will not be perturbed by this reloading and will continue to be encrypted and secure.

Hence, to update the certificates while the server is running, you only need to copy the newly issued certificates in path, overwriting the old files.

Clone this wiki locally
You can’t perform that action at this time.