From 433db40f6e2d0bfcda20bfc9b59497ee57e948a8 Mon Sep 17 00:00:00 2001
From: Andrew Morgan <andrew@amorgan.xyz>
Date: Thu, 4 Apr 2019 15:47:12 +0100
Subject: Address changes

---
 synapse/config/tls.py             |  5 +----
 synapse/crypto/context_factory.py | 13 ++++++-------
 2 files changed, 7 insertions(+), 11 deletions(-)

(limited to 'synapse')

diff --git a/synapse/config/tls.py b/synapse/config/tls.py
index 3fc6cf9a3f..162099dc5e 100644
--- a/synapse/config/tls.py
+++ b/synapse/config/tls.py
@@ -81,11 +81,8 @@ class TlsConfig(Config):
             "federation_certificate_verification_whitelist", [],
         )
 
-        self.federation_certificate_verification_whitelist = None
-        if len(federation_certificate_verification_whitelist) > 0:
-            self.federation_certificate_verification_whitelist = {}
-
         # Store whitelisted domains in a hash for fast lookup
+        self.federation_certificate_verification_whitelist = {}
         for domain in federation_certificate_verification_whitelist:
             self.federation_certificate_verification_whitelist[domain] = True
 
diff --git a/synapse/crypto/context_factory.py b/synapse/crypto/context_factory.py
index 8a3fea043b..6fda5e677d 100644
--- a/synapse/crypto/context_factory.py
+++ b/synapse/crypto/context_factory.py
@@ -142,13 +142,12 @@ class ClientTLSOptionsFactory(object):
         # Use _makeContext so that we get a fresh OpenSSL CTX each time.
 
         # Check if certificate verification has been enabled
-        if (self._config.federation_verify_certificates):
-            # and if the host is whitelisted against it
-            if (self._config.federation_certificate_verification_whitelist and
-                    host in self._config.federation_certificate_verification_whitelist):
-                return ClientTLSOptionsNoVerify(host, self._options_noverify._makeContext())
+        should_verify = self._config.federation_verify_certificates
 
-            return ClientTLSOptions(host, self._options_verify._makeContext())
+        # Check if we've disabled certificate verification for this host
+        if should_verify and host in self._config.federation_certificate_verification_whitelist:
+            should_verify = False
 
-        # Otherwise don't require verification
+        if should_verify:
+            return ClientTLSOptions(host, self._options_verify._makeContext())
         return ClientTLSOptionsNoVerify(host, self._options_noverify._makeContext())
-- 
cgit 1.5.1