diff --git a/synapse/config/tls.py b/synapse/config/tls.py
index e8d417d024..7dbf41887b 100644
--- a/synapse/config/tls.py
+++ b/synapse/config/tls.py
@@ -77,11 +77,14 @@ class TlsConfig(Config):
)
# Whitelist of domains to not verify certificates for
- self.federation_certificate_verification_whitelist = {}
federation_certificate_verification_whitelist = config.get(
"federation_certificate_verification_whitelist", [],
)
+ self.federation_certificate_verification_whitelist = None
+ if len(federation_certificate_verification_whitelist) > 0:
+ self.federation_certificate_verification_whitelist = {}
+
# Store whitelisted domains in a hash for fast lookup
for domain in federation_certificate_verification_whitelist:
self.federation_certificate_verification_whitelist[domain] = True
diff --git a/synapse/crypto/context_factory.py b/synapse/crypto/context_factory.py
index d566e1bf23..e2b5ce173b 100644
--- a/synapse/crypto/context_factory.py
+++ b/synapse/crypto/context_factory.py
@@ -132,18 +132,18 @@ class ClientTLSOptionsFactory(object):
def __init__(self, config):
self._config = config
- self._options_novalidate = CertificateOptions()
+ self._options_noverify = CertificateOptions()
# Check if we're using a custom list of a CA certificates
if config.federation_custom_ca_list is not None:
- self._options_validate = CertificateOptions(
+ self._options_verify = CertificateOptions(
# Use custom CA trusted root certs
trustRoot=config.federation_custom_ca_list,
)
return
# If not, verify using those provided by the operating environment
- self._options_validate = CertificateOptions(
+ self._options_verify = CertificateOptions(
# Use CA root certs provided by OpenSSL
trustRoot=platformTrust(),
)
@@ -152,10 +152,13 @@ class ClientTLSOptionsFactory(object):
# Use _makeContext so that we get a fresh OpenSSL CTX each time.
# Check if certificate verification has been enabled
- if (self._config.federation_verify_certificates and
- host not in self._config.federation_certificate_validation_whitelist):
- # Require verification
- return ClientTLSOptionsVerify(host, self._options_validate._makeContext())
+ if (self._config.federation_verify_certificates):
+ # and if the host is whitelisted against it
+ if (self._config.federation_certificate_verification_whitelist and
+ host in self._config.federation_certificate_verification_whitelist):
+ return ClientTLSOptions(host, self._options_noverify._makeContext())
+
+ return ClientTLSOptionsVerify(host, self._options_verify._makeContext())
# Otherwise don't require verification
- return ClientTLSOptions(host, self._options_novalidate._makeContext())
+ return ClientTLSOptions(host, self._options_noverify._makeContext())
diff --git a/synapse/federation/transport/server.py b/synapse/federation/transport/server.py
index f28672f7e2..1ddfbbd7f4 100644
--- a/synapse/federation/transport/server.py
+++ b/synapse/federation/transport/server.py
@@ -127,7 +127,8 @@ class Authenticator(object):
json_request["origin"] = origin
json_request["signatures"].setdefault(origin, {})[key] = sig
- if (origin not in self.federation_domain_whitelist):
+ if (self.federation_domain_whitelist is not None and
+ origin not in self.federation_domain_whitelist):
raise FederationDeniedError(origin)
if not json_request["signatures"]:
diff --git a/synapse/http/matrixfederationclient.py b/synapse/http/matrixfederationclient.py
index c4fdcd0524..36d1015514 100644
--- a/synapse/http/matrixfederationclient.py
+++ b/synapse/http/matrixfederationclient.py
@@ -283,7 +283,8 @@ class MatrixFederationHttpClient(object):
else:
_sec_timeout = self.default_timeout
- if (request.destination not in self.hs.config.federation_domain_whitelist):
+ if (self.hs.config.federation_domain_whitelist and
+ request.destination not in self.hs.config.federation_domain_whitelist):
raise FederationDeniedError(request.destination)
limiter = yield synapse.util.retryutils.get_retry_limiter(
diff --git a/synapse/rest/key/v2/remote_key_resource.py b/synapse/rest/key/v2/remote_key_resource.py
index dbd4512b74..426c05e79c 100644
--- a/synapse/rest/key/v2/remote_key_resource.py
+++ b/synapse/rest/key/v2/remote_key_resource.py
@@ -139,7 +139,8 @@ class RemoteKey(Resource):
store_queries = []
for server_name, key_ids in query.items():
- if (server_name not in self.federation_domain_whitelist):
+ if (self.federation_domain_whitelist and
+ server_name not in self.federation_domain_whitelist):
logger.debug("Federation denied with %s", server_name)
continue
diff --git a/synapse/rest/media/v1/media_repository.py b/synapse/rest/media/v1/media_repository.py
index dec1206e39..8b16ceb3e9 100644
--- a/synapse/rest/media/v1/media_repository.py
+++ b/synapse/rest/media/v1/media_repository.py
@@ -231,7 +231,8 @@ class MediaRepository(object):
Deferred: Resolves once a response has successfully been written
to request
"""
- if (server_name not in self.federation_domain_whitelist):
+ if (self.federation_domain_whitelist is not None and
+ server_name not in self.federation_domain_whitelist):
raise FederationDeniedError(server_name)
self.mark_recently_accessed(server_name, media_id)
@@ -268,7 +269,8 @@ class MediaRepository(object):
Returns:
Deferred[dict]: The media_info of the file
"""
- if (server_name not in self.federation_domain_whitelist):
+ if (self.federation_domain_whitelist and
+ server_name not in self.federation_domain_whitelist):
raise FederationDeniedError(server_name)
# We linearize here to ensure that we don't try and download remote
|
