diff options
| author | Andrew Morgan <andrew@amorgan.xyz> | 2019-04-02 10:53:03 +0100 |
|---|---|---|
| committer | Andrew Morgan <andrew@amorgan.xyz> | 2019-04-02 10:53:03 +0100 |
| commit | a7d7c5a060f56306006248b5583117d42cb4e0f9 (patch) | |
| tree | 7b6a7756dc92001eabb54403119695885054bfd0 | |
| parent | again (diff) | |
| download | synapse-a7d7c5a060f56306006248b5583117d42cb4e0f9.tar.xz | |
Don't run validation code if validation is turned off
| -rw-r--r-- | synapse/config/tls.py | 42 | ||||
| -rw-r--r-- | synapse/crypto/context_factory.py | 15 | ||||
| -rw-r--r-- | tests/http/federation/test_matrix_federation_agent.py | 2 |
3 files changed, 34 insertions, 25 deletions
diff --git a/synapse/config/tls.py b/synapse/config/tls.py index f799ff780f..4e0f2d9d75 100644 --- a/synapse/config/tls.py +++ b/synapse/config/tls.py @@ -90,29 +90,31 @@ class TlsConfig(Config): # List of custom certificate authorities for federation traffic validation self.federation_custom_ca_list = config.get( - "federation_custom_ca_list", [], + "federation_custom_ca_list", None, ) # Read in and parse custom CA certificates - certs = [] - for ca_file in self.federation_custom_ca_list: - logger.debug("Reading custom CA certificate file: %s", ca_file) - try: - with open(ca_file, 'rb') as f: - content = f.read() - except Exception: - logger.exception("Failed to read custom CA certificate off disk!") - raise - - # Parse the CA certificates - try: - cert_base = Certificate.loadPEM(content) - certs.append(cert_base) - except Exception: - logger.exception("Failed to parse custom CA certificate off disk!") - raise - - self.federation_custom_ca_list = trustRootFromCertificates(certs) + if self.federation_custom_ca_list is not None: + certs = [] + for ca_file in self.federation_custom_ca_list: + logger.debug("Reading custom CA certificate file: %s", ca_file) + try: + with open(ca_file, 'rb') as f: + content = f.read() + except Exception: + logger.exception("Failed to read custom CA certificate off disk!") + raise + + # Parse the CA certificates + try: + cert_base = Certificate.loadPEM(content) + certs.append(cert_base) + except Exception: + logger.exception("Failed to parse custom CA certificate off disk!") + raise + + if len(certs) > 0: + self.federation_custom_ca_list = trustRootFromCertificates(certs) # This config option applies to non-federation HTTP clients # (e.g. for talking to recaptcha, identity servers, and such) diff --git a/synapse/crypto/context_factory.py b/synapse/crypto/context_factory.py index fbe2bd454d..97c796a047 100644 --- a/synapse/crypto/context_factory.py +++ b/synapse/crypto/context_factory.py @@ -128,10 +128,17 @@ class ClientTLSOptionsFactory(object): def __init__(self, config): self._config = config - self._options_validate = CertificateOptions( - # This option implies verify=True - trustRoot=config.federation_custom_ca_list, - ) + + # Check if we're using a custom list of a CA certificates + if config.federation_custom_ca_list is not None: + self._options_validate = CertificateOptions( + # This option implies verify=True + trustRoot=config.federation_custom_ca_list, + ) + else: + # If not, verify using those provided by the operating environment + self._options_validate = CertificateOptions(verify=True) + self._options_novalidate = CertificateOptions(verify=False) def get_options(self, host): diff --git a/tests/http/federation/test_matrix_federation_agent.py b/tests/http/federation/test_matrix_federation_agent.py index dcf184d3cf..2ca91635a9 100644 --- a/tests/http/federation/test_matrix_federation_agent.py +++ b/tests/http/federation/test_matrix_federation_agent.py @@ -53,7 +53,7 @@ class MatrixFederationAgentTests(TestCase): self.agent = MatrixFederationAgent( reactor=self.reactor, - tls_client_options_factory=ClientTLSOptionsFactory(None), + tls_client_options_factory=ClientTLSOptionsFactory(#TODO How to deal with None config in tests???), _well_known_tls_policy=TrustingTLSPolicyForHTTPS(), _srv_resolver=self.mock_resolver, _well_known_cache=self.well_known_cache, |