fix domain whitelist

docs/sample_config.yaml

@@ -259,24 +259,17 @@ listeners:
 
 # Whether to verify TLS certificates when sending federation traffic.
 #
-# This currently defaults to `false`, however this will change in
-# Synapse 1.0 when valid federation certificates will be required.
-#
 #federation_verify_certificates: true
 
-# Skip federation certificate validation on the following whitelist of
-# domains.
-#
-# Note that this should only be used within the context of private
-# federation as it will otherwise break things.
-#
-# Only effective if federation_verify_certicates is `true`.
+# Prevent federation certificate validation on the following whitelist
+# of domains. Only effective if federation_verify_certicates is true.
 #
 #federation_certificate_validation_whitelist:
 #  - lon.example.com
 #  - nyc.example.com
 #  - syd.example.com
 
+
 # List of custom certificate authorities for federation traffic.
 #
 # Note that this list will replace those that are provided by your

synapse/config/server.py

@@ -111,10 +111,14 @@ class ServerConfig(Config):
         self.admin_contact = config.get("admin_contact", None)
 
         # FIXME: federation_domain_whitelist needs sytests
-        self.federation_domain_whitelist = {}
         federation_domain_whitelist = config.get(
             "federation_domain_whitelist", [],
         )
+
+        self.federation_domain_whitelist = None
+        if len(federation_domain_whitelist) > 0:
+            self.federation_domain_whitelist = {}
+
         # turn the whitelist into a hash for speed of lookup
         for domain in federation_domain_whitelist:
             self.federation_domain_whitelist[domain] = True

synapse/config/tls.py

@@ -242,15 +242,15 @@ class TlsConfig(Config):
         #
         #federation_verify_certificates: true
 
-        # Skip federation certificate validation on the following whitelist of
-        # domains.
+        # Skip federation certificate verification on the following whitelist
+        # of domains.
         #
         # Note that this should only be used within the context of private
         # federation as it will otherwise break things.
         #
         # Only effective if federation_verify_certicates is `true`.
         #
-        #federation_certificate_validation_whitelist:
+        #federation_certificate_verification_whitelist:
         #  - lon.example.com
         #  - nyc.example.com
         #  - syd.example.com

synapse/crypto/context_factory.py

@@ -131,7 +131,6 @@ class ClientTLSOptionsFactory(object):
 
     def __init__(self, config):
         self._config = config
-
         self._options_noverify = CertificateOptions()
 
         # Check if we're using a custom list of a CA certificates