chore: enable TLS client cache for HTTPS where appropriate (#9721)

https://forum.syncthing.net/t/infrastructure-report-discovery-stuff/22819/4
This commit is contained in:
Jakob Borg 2024-09-24 08:55:04 +02:00 committed by GitHub
parent a8e2c8edb6
commit cba163a1fd
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 17 additions and 8 deletions

View File

@ -116,6 +116,7 @@ func NewGlobal(server string, cert tls.Certificate, addrList AddressLister, evLo
InsecureSkipVerify: opts.insecure,
Certificates: []tls.Certificate{cert},
MinVersion: tls.VersionTLS12,
ClientSessionCache: tls.NewLRUClientSessionCache(0),
},
}),
}}
@ -134,6 +135,7 @@ func NewGlobal(server string, cert tls.Certificate, addrList AddressLister, evLo
TLSClientConfig: &tls.Config{
InsecureSkipVerify: opts.insecure,
MinVersion: tls.VersionTLS12,
ClientSessionCache: tls.NewLRUClientSessionCache(0),
},
}),
}}

View File

@ -26,9 +26,7 @@ import (
var (
ErrIdentificationFailed = errors.New("failed to identify socket type")
)
var (
// The list of cipher suites we will use / suggest for TLS 1.2 connections.
cipherSuites = []uint16{
// Suites that are good and fast on hardware *without* AES-NI.
@ -64,7 +62,8 @@ var (
func SecureDefaultTLS13() *tls.Config {
return &tls.Config{
// TLS 1.3 is the minimum we accept
MinVersion: tls.VersionTLS13,
MinVersion: tls.VersionTLS13,
ClientSessionCache: tls.NewLRUClientSessionCache(0),
}
}
@ -83,6 +82,8 @@ func SecureDefaultWithTLS12() *tls.Config {
// We've put some thought into this choice and would like it to
// matter.
PreferServerCipherSuites: true,
ClientSessionCache: tls.NewLRUClientSessionCache(0),
}
}
@ -147,7 +148,7 @@ func NewCertificate(certFile, keyFile string, commonName string, lifetimeDays in
return tls.Certificate{}, fmt.Errorf("save cert: %w", err)
}
keyOut, err := os.OpenFile(keyFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
keyOut, err := os.OpenFile(keyFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0o600)
if err != nil {
return tls.Certificate{}, fmt.Errorf("save key: %w", err)
}

View File

@ -30,6 +30,7 @@ import (
"github.com/shirou/gopsutil/v4/host"
"github.com/syncthing/syncthing/lib/dialer"
"github.com/syncthing/syncthing/lib/signature"
"github.com/syncthing/syncthing/lib/tlsutil"
"golang.org/x/net/http2"
)
@ -63,8 +64,9 @@ const (
var upgradeClient = &http.Client{
Timeout: readTimeout,
Transport: &http.Transport{
DialContext: dialer.DialContext,
Proxy: http.ProxyFromEnvironment,
DialContext: dialer.DialContext,
Proxy: http.ProxyFromEnvironment,
TLSClientConfig: tlsutil.SecureDefaultWithTLS12(),
},
}

View File

@ -20,6 +20,7 @@ import (
"github.com/syncthing/syncthing/lib/dialer"
"github.com/syncthing/syncthing/lib/events"
"github.com/syncthing/syncthing/lib/svcutil"
"github.com/syncthing/syncthing/lib/tlsutil"
"github.com/thejerf/suture/v4"
)
@ -208,8 +209,9 @@ func sendFailureReports(ctx context.Context, reports []FailureReport, url string
client := &http.Client{
Transport: &http.Transport{
DialContext: dialer.DialContext,
Proxy: http.ProxyFromEnvironment,
DialContext: dialer.DialContext,
Proxy: http.ProxyFromEnvironment,
TLSClientConfig: tlsutil.SecureDefaultWithTLS12(),
},
}

View File

@ -352,6 +352,8 @@ func (s *Service) sendUsageReport(ctx context.Context) error {
Proxy: http.ProxyFromEnvironment,
TLSClientConfig: &tls.Config{
InsecureSkipVerify: s.cfg.Options().URPostInsecurely,
MinVersion: tls.VersionTLS12,
ClientSessionCache: tls.NewLRUClientSessionCache(0),
},
},
}