Address changes

2019-04-04 15:47:12 +01:00
parent e337c2d9db
commit 433db40f6e
3 changed files with 7 additions and 14 deletions
--- a/synapse/config/tls.py
+++ b/synapse/config/tls.py
@@ -81,11 +81,8 @@ class TlsConfig(Config):
            "federation_certificate_verification_whitelist", [],
        )

-        self.federation_certificate_verification_whitelist = None
-        if len(federation_certificate_verification_whitelist) > 0:
-            self.federation_certificate_verification_whitelist = {}
-
        # Store whitelisted domains in a hash for fast lookup
+        self.federation_certificate_verification_whitelist = {}
        for domain in federation_certificate_verification_whitelist:
            self.federation_certificate_verification_whitelist[domain] = True

--- a/synapse/crypto/context_factory.py
+++ b/synapse/crypto/context_factory.py
@@ -142,13 +142,12 @@ class ClientTLSOptionsFactory(object):
        # Use _makeContext so that we get a fresh OpenSSL CTX each time.

        # Check if certificate verification has been enabled
-        if (self._config.federation_verify_certificates):
-            # and if the host is whitelisted against it
-            if (self._config.federation_certificate_verification_whitelist and
-                    host in self._config.federation_certificate_verification_whitelist):
-                return ClientTLSOptionsNoVerify(host, self._options_noverify._makeContext())
+        should_verify = self._config.federation_verify_certificates

+        # Check if we've disabled certificate verification for this host
+        if should_verify and host in self._config.federation_certificate_verification_whitelist:
+            should_verify = False
+
+        if should_verify:
            return ClientTLSOptions(host, self._options_verify._makeContext())
-
-        # Otherwise don't require verification
        return ClientTLSOptionsNoVerify(host, self._options_noverify._makeContext())
--- a/tests/utils.py
+++ b/tests/utils.py
@@ -137,9 +137,6 @@ def default_config(name):
    config.email_enable_notifs = False
    config.block_non_admin_invites = False
    config.federation_domain_whitelist = None
-    config.federation_certificate_verification_whitelist = None
-    config.federation_custom_ca_list = None
-    config.federation_verify_certificates = False
    config.federation_rc_reject_limit = 10
    config.federation_rc_sleep_limit = 10
    config.federation_rc_sleep_delay = 100