Don't run validation code if validation is turned off

2024-12-21 12:14:29 +03:00 · 2019-04-02 10:53:03 +01:00 · 2019-04-02 10:53:03 +01:00 · a7d7c5a060
commit a7d7c5a060
parent ee0c7e1ab4
3 changed files with 32 additions and 23 deletions
--- a/synapse/config/tls.py
+++ b/synapse/config/tls.py
@ -90,29 +90,31 @@ class TlsConfig(Config):

        # List of custom certificate authorities for federation traffic validation
        self.federation_custom_ca_list = config.get(
-            "federation_custom_ca_list", [],
+            "federation_custom_ca_list", None,
        )

        # Read in and parse custom CA certificates
-        certs = []
-        for ca_file in self.federation_custom_ca_list:
-            logger.debug("Reading custom CA certificate file: %s", ca_file)
-            try:
-                with open(ca_file, 'rb') as f:
-                    content = f.read()
-            except Exception:
-                logger.exception("Failed to read custom CA certificate off disk!")
-                raise
+        if self.federation_custom_ca_list is not None:
+            certs = []
+            for ca_file in self.federation_custom_ca_list:
+                logger.debug("Reading custom CA certificate file: %s", ca_file)
+                try:
+                    with open(ca_file, 'rb') as f:
+                        content = f.read()
+                except Exception:
+                    logger.exception("Failed to read custom CA certificate off disk!")
+                    raise

-            # Parse the CA certificates
-            try:
-                cert_base = Certificate.loadPEM(content)
-                certs.append(cert_base)
-            except Exception:
-                logger.exception("Failed to parse custom CA certificate off disk!")
-                raise
+                # Parse the CA certificates
+                try:
+                    cert_base = Certificate.loadPEM(content)
+                    certs.append(cert_base)
+                except Exception:
+                    logger.exception("Failed to parse custom CA certificate off disk!")
+                    raise

-        self.federation_custom_ca_list = trustRootFromCertificates(certs)
+            if len(certs) > 0:
+                self.federation_custom_ca_list = trustRootFromCertificates(certs)

        # This config option applies to non-federation HTTP clients
        # (e.g. for talking to recaptcha, identity servers, and such)
--- a/synapse/crypto/context_factory.py
+++ b/synapse/crypto/context_factory.py
@ -128,10 +128,17 @@ class ClientTLSOptionsFactory(object):

    def __init__(self, config):
        self._config = config
-        self._options_validate = CertificateOptions(
-            # This option implies verify=True
-            trustRoot=config.federation_custom_ca_list,
-        )
+
+        # Check if we're using a custom list of a CA certificates
+        if config.federation_custom_ca_list is not None:
+            self._options_validate = CertificateOptions(
+                # This option implies verify=True
+                trustRoot=config.federation_custom_ca_list,
+            )
+        else:
+            # If not, verify using those provided by the operating environment
+            self._options_validate = CertificateOptions(verify=True)
+
        self._options_novalidate = CertificateOptions(verify=False)

    def get_options(self, host):
--- a/tests/http/federation/test_matrix_federation_agent.py
+++ b/tests/http/federation/test_matrix_federation_agent.py
@ -53,7 +53,7 @@ class MatrixFederationAgentTests(TestCase):

        self.agent = MatrixFederationAgent(
            reactor=self.reactor,
-            tls_client_options_factory=ClientTLSOptionsFactory(None),
+            tls_client_options_factory=ClientTLSOptionsFactory(#TODO How to deal with None config in tests???),
            _well_known_tls_policy=TrustingTLSPolicyForHTTPS(),
            _srv_resolver=self.mock_resolver,
            _well_known_cache=self.well_known_cache,