diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml
index e1d4ca2eff..9c74dcd186 100644
--- a/docs/sample_config.yaml
+++ b/docs/sample_config.yaml
@@ -274,8 +274,8 @@ listeners:
 #
 #federation_certificate_verification_whitelist:
 #  - lon.example.com
-#  - nyc.example.com
-#  - syd.example.com
+#  - *.domain.com
+#  - *.onion
 
 # List of custom certificate authorities for federation traffic.
 #
diff --git a/synapse/config/tls.py b/synapse/config/tls.py
index 162099dc5e..6f76cf80b0 100644
--- a/synapse/config/tls.py
+++ b/synapse/config/tls.py
@@ -27,6 +27,7 @@ from OpenSSL import crypto
 from twisted.internet._sslverify import Certificate, trustRootFromCertificates
 
 from synapse.config._base import Config, ConfigError
+from synapse.util import glob_to_regex
 
 logger = logging.getLogger(__name__)
 
@@ -77,14 +78,16 @@ class TlsConfig(Config):
         )
 
         # Whitelist of domains to not verify certificates for
-        federation_certificate_verification_whitelist = config.get(
+        fed_whitelist_entries = config.get(
             "federation_certificate_verification_whitelist", [],
         )
 
-        # Store whitelisted domains in a hash for fast lookup
-        self.federation_certificate_verification_whitelist = {}
-        for domain in federation_certificate_verification_whitelist:
-            self.federation_certificate_verification_whitelist[domain] = True
+        # Support globs (*) in whitelist values
+        self.federation_certificate_verification_whitelist = []
+        for entry in fed_whitelist_entries:
+            # Convert globs to regex
+            entry_regex = glob_to_regex(entry)
+            self.federation_certificate_verification_whitelist.append(entry_regex)
 
         # List of custom certificate authorities for federation traffic validation
         custom_ca_list = config.get(
@@ -252,8 +255,8 @@ class TlsConfig(Config):
         #
         #federation_certificate_verification_whitelist:
         #  - lon.example.com
-        #  - nyc.example.com
-        #  - syd.example.com
+        #  - *.domain.com
+        #  - *.onion
 
         # List of custom certificate authorities for federation traffic.
         #
diff --git a/synapse/crypto/context_factory.py b/synapse/crypto/context_factory.py
index 6ebbd3b73c..59ea087e66 100644
--- a/synapse/crypto/context_factory.py
+++ b/synapse/crypto/context_factory.py
@@ -145,11 +145,11 @@ class ClientTLSOptionsFactory(object):
         should_verify = self._config.federation_verify_certificates
 
         # Check if we've disabled certificate verification for this host
-        if (
-            should_verify and
-            host in self._config.federation_certificate_verification_whitelist
-        ):
-            should_verify = False
+        if should_verify:
+            for regex in self._config.federation_certificate_verification_whitelist:
+                if regex.match(host):
+                    should_verify = False
+                    break
 
         if should_verify:
             return ClientTLSOptions(host, self._options_verify._makeContext())