Don't run validation code if validation is turned off

2 files changed, 33 insertions, 24 deletions

diff --git a/synapse/config/tls.py b/synapse/config/tls.py

index f799ff780f..4e0f2d9d75 100644
--- a/synapse/config/tls.py
+++ b/synapse/config/tls.py
@@ -90,29 +90,31 @@ class TlsConfig(Config):
 
         # List of custom certificate authorities for federation traffic validation
         self.federation_custom_ca_list = config.get(
-            "federation_custom_ca_list", [],
+            "federation_custom_ca_list", None,
         )
 
         # Read in and parse custom CA certificates
-        certs = []
-        for ca_file in self.federation_custom_ca_list:
-            logger.debug("Reading custom CA certificate file: %s", ca_file)
-            try:
-                with open(ca_file, 'rb') as f:
-                    content = f.read()
-            except Exception:
-                logger.exception("Failed to read custom CA certificate off disk!")
-                raise
-
-            # Parse the CA certificates
-            try:
-                cert_base = Certificate.loadPEM(content)
-                certs.append(cert_base)
-            except Exception:
-                logger.exception("Failed to parse custom CA certificate off disk!")
-                raise
-
-        self.federation_custom_ca_list = trustRootFromCertificates(certs)
+        if self.federation_custom_ca_list is not None:
+            certs = []
+            for ca_file in self.federation_custom_ca_list:
+                logger.debug("Reading custom CA certificate file: %s", ca_file)
+                try:
+                    with open(ca_file, 'rb') as f:
+                        content = f.read()
+                except Exception:
+                    logger.exception("Failed to read custom CA certificate off disk!")
+                    raise
+
+                # Parse the CA certificates
+                try:
+                    cert_base = Certificate.loadPEM(content)
+                    certs.append(cert_base)
+                except Exception:
+                    logger.exception("Failed to parse custom CA certificate off disk!")
+                    raise
+
+            if len(certs) > 0:
+                self.federation_custom_ca_list = trustRootFromCertificates(certs)
 
         # This config option applies to non-federation HTTP clients
         # (e.g. for talking to recaptcha, identity servers, and such)
diff --git a/synapse/crypto/context_factory.py b/synapse/crypto/context_factory.py

index fbe2bd454d..97c796a047 100644
--- a/synapse/crypto/context_factory.py
+++ b/synapse/crypto/context_factory.py
@@ -128,10 +128,17 @@ class ClientTLSOptionsFactory(object):
 
     def __init__(self, config):
         self._config = config
-        self._options_validate = CertificateOptions(
-            # This option implies verify=True
-            trustRoot=config.federation_custom_ca_list,
-        )
+
+        # Check if we're using a custom list of a CA certificates
+        if config.federation_custom_ca_list is not None:
+            self._options_validate = CertificateOptions(
+                # This option implies verify=True
+                trustRoot=config.federation_custom_ca_list,
+            )
+        else:
+            # If not, verify using those provided by the operating environment
+            self._options_validate = CertificateOptions(verify=True)
+
         self._options_novalidate = CertificateOptions(verify=False)
 
     def get_options(self, host):