Don't run validation code if validation is turned off

synapse/config/tls.py

@@ -90,29 +90,31 @@ class TlsConfig(Config):
 
         # List of custom certificate authorities for federation traffic validation
         self.federation_custom_ca_list = config.get(
-            "federation_custom_ca_list", [],
+            "federation_custom_ca_list", None,
         )
 
         # Read in and parse custom CA certificates
-        certs = []
+        if self.federation_custom_ca_list is not None:
-        for ca_file in self.federation_custom_ca_list:
+            certs = []
-            logger.debug("Reading custom CA certificate file: %s", ca_file)
+            for ca_file in self.federation_custom_ca_list:
-            try:
+                logger.debug("Reading custom CA certificate file: %s", ca_file)
-                with open(ca_file, 'rb') as f:
+                try:
-                    content = f.read()
+                    with open(ca_file, 'rb') as f:
-            except Exception:
+                        content = f.read()
-                logger.exception("Failed to read custom CA certificate off disk!")
+                except Exception:
-                raise
+                    logger.exception("Failed to read custom CA certificate off disk!")
+                    raise
 
-            # Parse the CA certificates
+                # Parse the CA certificates
-            try:
+                try:
-                cert_base = Certificate.loadPEM(content)
+                    cert_base = Certificate.loadPEM(content)
-                certs.append(cert_base)
+                    certs.append(cert_base)
-            except Exception:
+                except Exception:
-                logger.exception("Failed to parse custom CA certificate off disk!")
+                    logger.exception("Failed to parse custom CA certificate off disk!")
-                raise
+                    raise
 
-        self.federation_custom_ca_list = trustRootFromCertificates(certs)
+            if len(certs) > 0:
+                self.federation_custom_ca_list = trustRootFromCertificates(certs)
 
         # This config option applies to non-federation HTTP clients
         # (e.g. for talking to recaptcha, identity servers, and such)

synapse/crypto/context_factory.py

@@ -128,10 +128,17 @@ class ClientTLSOptionsFactory(object):
 
     def __init__(self, config):
         self._config = config
-        self._options_validate = CertificateOptions(
+
-            # This option implies verify=True
+        # Check if we're using a custom list of a CA certificates
-            trustRoot=config.federation_custom_ca_list,
+        if config.federation_custom_ca_list is not None:
-        )
+            self._options_validate = CertificateOptions(
+                # This option implies verify=True
+                trustRoot=config.federation_custom_ca_list,
+            )
+        else:
+            # If not, verify using those provided by the operating environment
+            self._options_validate = CertificateOptions(verify=True)
+
         self._options_novalidate = CertificateOptions(verify=False)
 
     def get_options(self, host):

tests/http/federation/test_matrix_federation_agent.py

@@ -53,7 +53,7 @@ class MatrixFederationAgentTests(TestCase):
 
         self.agent = MatrixFederationAgent(
             reactor=self.reactor,
-            tls_client_options_factory=ClientTLSOptionsFactory(None),
+            tls_client_options_factory=ClientTLSOptionsFactory(#TODO How to deal with None config in tests???),
             _well_known_tls_policy=TrustingTLSPolicyForHTTPS(),
             _srv_resolver=self.mock_resolver,
             _well_known_cache=self.well_known_cache,