diff --git a/synapse/crypto/context_factory.py b/synapse/crypto/context_factory.py
index 0035846de0..a9561ac0b7 100644
--- a/synapse/crypto/context_factory.py
+++ b/synapse/crypto/context_factory.py
@@ -21,7 +21,7 @@ from OpenSSL import SSL, crypto
 from twisted.internet._sslverify import _defaultCurveName
 from twisted.internet.abstract import isIPAddress, isIPv6Address
 from twisted.internet.interfaces import IOpenSSLClientConnectionCreator
-from twisted.internet.ssl import CertificateOptions, ContextFactory
+from twisted.internet.ssl import CertificateOptions, ContextFactory, platformTrust
 from twisted.python.failure import Failure
 
 logger = logging.getLogger(__name__)
@@ -132,14 +132,17 @@ class ClientTLSOptionsFactory(object):
         # Check if we're using a custom list of a CA certificates
         if config.federation_custom_ca_list is not None:
             self._options_validate = CertificateOptions(
-                # This option implies verify=True
+                # Use custom CA trusted root certs
                 trustRoot=config.federation_custom_ca_list,
             )
         else:
             # If not, verify using those provided by the operating environment
-            self._options_validate = CertificateOptions(verify=True)
+            self._options_validate = CertificateOptions(
+                # Use CA root certs provided by OpenSSL
+                trustRoot=platformTrust(),
+            )
 
-        self._options_novalidate = CertificateOptions(verify=False)
+        self._options_novalidate = CertificateOptions()
 
     def get_options(self, host):
         # Use _makeContext so that we get a fresh OpenSSL CTX each time.