I ended up hacking the server start file. Overall, I think there are couple of pain points on how Rasa server is being started. (lacking the ability to customize Sanic logging, change SSL context settings a couple of them). Hope something could be done to support advanced use cases.
def create_ssl_context_custom(
ssl_certificate: Optional[Text],
ssl_keyfile: Optional[Text],
ssl_ca_file: Optional[Text] = None,
ssl_password: Optional[Text] = None,
) -> Optional["SSLContext"]:
"""Create an SSL context if a proper certificate is passed
We patch the original function to enable TLSv1.2.
Args:
ssl_certificate: path to the SSL client certificate
ssl_keyfile: path to the SSL key file
ssl_ca_file: path to the SSL CA file for verification (optional)
ssl_password: SSL private key password (optional)
Returns:
SSL context if a valid certificate chain can be loaded, `None` otherwise.
"""
ENABLE_TLS_V1_2 = True if 1 == int(os.getenv("ENABLE_TLS_V1_2", "0")) else False
if ssl_certificate:
if ENABLE_TLS_V1_2:
protocol = PROTOCOL_TLSv1_2
logger.info("SSL with protocol PROTOCOL_TLSv1_2")
else:
protocol = PROTOCOL_TLS
logger.info("SSL with protocol PROTOCOL_TLS")
ssl_context = SSLContext(protocol)
ssl_context.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS)
if ssl_ca_file:
ssl_context.load_verify_locations(cafile=ssl_ca_file)
elif ssl_context.verify_mode != CERT_NONE:
ssl_context.load_default_certs(purpose=Purpose.CLIENT_AUTH)
ssl_context.load_cert_chain(
ssl_certificate, keyfile=ssl_keyfile, password=ssl_password
)
return ssl_context
else:
return None