From a7d7c5a060f56306006248b5583117d42cb4e0f9 Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Tue, 2 Apr 2019 10:53:03 +0100 Subject: [PATCH] Don't run validation code if validation is turned off --- synapse/config/tls.py | 38 ++++++++++--------- synapse/crypto/context_factory.py | 15 ++++++-- .../test_matrix_federation_agent.py | 2 +- 3 files changed, 32 insertions(+), 23 deletions(-) diff --git a/synapse/config/tls.py b/synapse/config/tls.py index f799ff780f..4e0f2d9d75 100644 --- a/synapse/config/tls.py +++ b/synapse/config/tls.py @@ -90,29 +90,31 @@ class TlsConfig(Config): # List of custom certificate authorities for federation traffic validation self.federation_custom_ca_list = config.get( - "federation_custom_ca_list", [], + "federation_custom_ca_list", None, ) # Read in and parse custom CA certificates - certs = [] - for ca_file in self.federation_custom_ca_list: - logger.debug("Reading custom CA certificate file: %s", ca_file) - try: - with open(ca_file, 'rb') as f: - content = f.read() - except Exception: - logger.exception("Failed to read custom CA certificate off disk!") - raise + if self.federation_custom_ca_list is not None: + certs = [] + for ca_file in self.federation_custom_ca_list: + logger.debug("Reading custom CA certificate file: %s", ca_file) + try: + with open(ca_file, 'rb') as f: + content = f.read() + except Exception: + logger.exception("Failed to read custom CA certificate off disk!") + raise - # Parse the CA certificates - try: - cert_base = Certificate.loadPEM(content) - certs.append(cert_base) - except Exception: - logger.exception("Failed to parse custom CA certificate off disk!") - raise + # Parse the CA certificates + try: + cert_base = Certificate.loadPEM(content) + certs.append(cert_base) + except Exception: + logger.exception("Failed to parse custom CA certificate off disk!") + raise - self.federation_custom_ca_list = trustRootFromCertificates(certs) + if len(certs) > 0: + self.federation_custom_ca_list = trustRootFromCertificates(certs) # This config option applies to non-federation HTTP clients # (e.g. for talking to recaptcha, identity servers, and such) diff --git a/synapse/crypto/context_factory.py b/synapse/crypto/context_factory.py index fbe2bd454d..97c796a047 100644 --- a/synapse/crypto/context_factory.py +++ b/synapse/crypto/context_factory.py @@ -128,10 +128,17 @@ class ClientTLSOptionsFactory(object): def __init__(self, config): self._config = config - self._options_validate = CertificateOptions( - # This option implies verify=True - trustRoot=config.federation_custom_ca_list, - ) + + # Check if we're using a custom list of a CA certificates + if config.federation_custom_ca_list is not None: + self._options_validate = CertificateOptions( + # This option implies verify=True + trustRoot=config.federation_custom_ca_list, + ) + else: + # If not, verify using those provided by the operating environment + self._options_validate = CertificateOptions(verify=True) + self._options_novalidate = CertificateOptions(verify=False) def get_options(self, host): diff --git a/tests/http/federation/test_matrix_federation_agent.py b/tests/http/federation/test_matrix_federation_agent.py index dcf184d3cf..2ca91635a9 100644 --- a/tests/http/federation/test_matrix_federation_agent.py +++ b/tests/http/federation/test_matrix_federation_agent.py @@ -53,7 +53,7 @@ class MatrixFederationAgentTests(TestCase): self.agent = MatrixFederationAgent( reactor=self.reactor, - tls_client_options_factory=ClientTLSOptionsFactory(None), + tls_client_options_factory=ClientTLSOptionsFactory(#TODO How to deal with None config in tests???), _well_known_tls_policy=TrustingTLSPolicyForHTTPS(), _srv_resolver=self.mock_resolver, _well_known_cache=self.well_known_cache,