From cba163a1fdf2c2ad24b27683ed44b90d945ba764 Mon Sep 17 00:00:00 2001
From: Jakob Borg <jakob@kastelo.net>
Date: Tue, 24 Sep 2024 08:55:04 +0200
Subject: [PATCH] chore: enable TLS client cache for HTTPS where appropriate
 (#9721)

https://forum.syncthing.net/t/infrastructure-report-discovery-stuff/22819/4
---
 lib/discover/global.go           | 2 ++
 lib/tlsutil/tlsutil.go           | 9 +++++----
 lib/upgrade/upgrade_supported.go | 6 ++++--
 lib/ur/failurereporting.go       | 6 ++++--
 lib/ur/usage_report.go           | 2 ++
 5 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/lib/discover/global.go b/lib/discover/global.go
index ba6c69f3d..febb3910f 100644
--- a/lib/discover/global.go
+++ b/lib/discover/global.go
@@ -116,6 +116,7 @@ func NewGlobal(server string, cert tls.Certificate, addrList AddressLister, evLo
 				InsecureSkipVerify: opts.insecure,
 				Certificates:       []tls.Certificate{cert},
 				MinVersion:         tls.VersionTLS12,
+				ClientSessionCache: tls.NewLRUClientSessionCache(0),
 			},
 		}),
 	}}
@@ -134,6 +135,7 @@ func NewGlobal(server string, cert tls.Certificate, addrList AddressLister, evLo
 			TLSClientConfig: &tls.Config{
 				InsecureSkipVerify: opts.insecure,
 				MinVersion:         tls.VersionTLS12,
+				ClientSessionCache: tls.NewLRUClientSessionCache(0),
 			},
 		}),
 	}}
diff --git a/lib/tlsutil/tlsutil.go b/lib/tlsutil/tlsutil.go
index e184d16dd..a105c9e87 100644
--- a/lib/tlsutil/tlsutil.go
+++ b/lib/tlsutil/tlsutil.go
@@ -26,9 +26,7 @@ import (
 
 var (
 	ErrIdentificationFailed = errors.New("failed to identify socket type")
-)
 
-var (
 	// The list of cipher suites we will use / suggest for TLS 1.2 connections.
 	cipherSuites = []uint16{
 		// Suites that are good and fast on hardware *without* AES-NI.
@@ -64,7 +62,8 @@ var (
 func SecureDefaultTLS13() *tls.Config {
 	return &tls.Config{
 		// TLS 1.3 is the minimum we accept
-		MinVersion: tls.VersionTLS13,
+		MinVersion:         tls.VersionTLS13,
+		ClientSessionCache: tls.NewLRUClientSessionCache(0),
 	}
 }
 
@@ -83,6 +82,8 @@ func SecureDefaultWithTLS12() *tls.Config {
 		// We've put some thought into this choice and would like it to
 		// matter.
 		PreferServerCipherSuites: true,
+
+		ClientSessionCache: tls.NewLRUClientSessionCache(0),
 	}
 }
 
@@ -147,7 +148,7 @@ func NewCertificate(certFile, keyFile string, commonName string, lifetimeDays in
 		return tls.Certificate{}, fmt.Errorf("save cert: %w", err)
 	}
 
-	keyOut, err := os.OpenFile(keyFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+	keyOut, err := os.OpenFile(keyFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0o600)
 	if err != nil {
 		return tls.Certificate{}, fmt.Errorf("save key: %w", err)
 	}
diff --git a/lib/upgrade/upgrade_supported.go b/lib/upgrade/upgrade_supported.go
index db2c17e6a..0bfa576d6 100644
--- a/lib/upgrade/upgrade_supported.go
+++ b/lib/upgrade/upgrade_supported.go
@@ -30,6 +30,7 @@ import (
 	"github.com/shirou/gopsutil/v4/host"
 	"github.com/syncthing/syncthing/lib/dialer"
 	"github.com/syncthing/syncthing/lib/signature"
+	"github.com/syncthing/syncthing/lib/tlsutil"
 	"golang.org/x/net/http2"
 )
 
@@ -63,8 +64,9 @@ const (
 var upgradeClient = &http.Client{
 	Timeout: readTimeout,
 	Transport: &http.Transport{
-		DialContext: dialer.DialContext,
-		Proxy:       http.ProxyFromEnvironment,
+		DialContext:     dialer.DialContext,
+		Proxy:           http.ProxyFromEnvironment,
+		TLSClientConfig: tlsutil.SecureDefaultWithTLS12(),
 	},
 }
 
diff --git a/lib/ur/failurereporting.go b/lib/ur/failurereporting.go
index 8796c6018..92c54173d 100644
--- a/lib/ur/failurereporting.go
+++ b/lib/ur/failurereporting.go
@@ -20,6 +20,7 @@ import (
 	"github.com/syncthing/syncthing/lib/dialer"
 	"github.com/syncthing/syncthing/lib/events"
 	"github.com/syncthing/syncthing/lib/svcutil"
+	"github.com/syncthing/syncthing/lib/tlsutil"
 
 	"github.com/thejerf/suture/v4"
 )
@@ -208,8 +209,9 @@ func sendFailureReports(ctx context.Context, reports []FailureReport, url string
 
 	client := &http.Client{
 		Transport: &http.Transport{
-			DialContext: dialer.DialContext,
-			Proxy:       http.ProxyFromEnvironment,
+			DialContext:     dialer.DialContext,
+			Proxy:           http.ProxyFromEnvironment,
+			TLSClientConfig: tlsutil.SecureDefaultWithTLS12(),
 		},
 	}
 
diff --git a/lib/ur/usage_report.go b/lib/ur/usage_report.go
index ce6984a4c..858e2ef07 100644
--- a/lib/ur/usage_report.go
+++ b/lib/ur/usage_report.go
@@ -352,6 +352,8 @@ func (s *Service) sendUsageReport(ctx context.Context) error {
 			Proxy:       http.ProxyFromEnvironment,
 			TLSClientConfig: &tls.Config{
 				InsecureSkipVerify: s.cfg.Options().URPostInsecurely,
+				MinVersion:         tls.VersionTLS12,
+				ClientSessionCache: tls.NewLRUClientSessionCache(0),
 			},
 		},
 	}