chore: enable TLS client cache for HTTPS where appropriate (#9721)

https://forum.syncthing.net/t/infrastructure-report-discovery-stuff/22819/4

lib/discover/global.go

@@ -116,6 +116,7 @@ func NewGlobal(server string, cert tls.Certificate, addrList AddressLister, evLo
 				InsecureSkipVerify: opts.insecure,
 				Certificates:       []tls.Certificate{cert},
 				MinVersion:         tls.VersionTLS12,
+				ClientSessionCache: tls.NewLRUClientSessionCache(0),
 			},
 		}),
 	}}
@@ -134,6 +135,7 @@ func NewGlobal(server string, cert tls.Certificate, addrList AddressLister, evLo
 			TLSClientConfig: &tls.Config{
 				InsecureSkipVerify: opts.insecure,
 				MinVersion:         tls.VersionTLS12,
+				ClientSessionCache: tls.NewLRUClientSessionCache(0),
 			},
 		}),
 	}}

lib/tlsutil/tlsutil.go

@@ -26,9 +26,7 @@ import (
 
 var (
 	ErrIdentificationFailed = errors.New("failed to identify socket type")
-)
 
-var (
 	// The list of cipher suites we will use / suggest for TLS 1.2 connections.
 	cipherSuites = []uint16{
 		// Suites that are good and fast on hardware *without* AES-NI.
@@ -65,6 +63,7 @@ func SecureDefaultTLS13() *tls.Config {
 	return &tls.Config{
 		// TLS 1.3 is the minimum we accept
 		MinVersion:         tls.VersionTLS13,
+		ClientSessionCache: tls.NewLRUClientSessionCache(0),
 	}
 }
 
@@ -83,6 +82,8 @@ func SecureDefaultWithTLS12() *tls.Config {
 		// We've put some thought into this choice and would like it to
 		// matter.
 		PreferServerCipherSuites: true,
+
+		ClientSessionCache: tls.NewLRUClientSessionCache(0),
 	}
 }
 
@@ -147,7 +148,7 @@ func NewCertificate(certFile, keyFile string, commonName string, lifetimeDays in
 		return tls.Certificate{}, fmt.Errorf("save cert: %w", err)
 	}
 
-	keyOut, err := os.OpenFile(keyFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+	keyOut, err := os.OpenFile(keyFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0o600)
 	if err != nil {
 		return tls.Certificate{}, fmt.Errorf("save key: %w", err)
 	}

lib/upgrade/upgrade_supported.go

@@ -30,6 +30,7 @@ import (
 	"github.com/shirou/gopsutil/v4/host"
 	"github.com/syncthing/syncthing/lib/dialer"
 	"github.com/syncthing/syncthing/lib/signature"
+	"github.com/syncthing/syncthing/lib/tlsutil"
 	"golang.org/x/net/http2"
 )
 
@@ -65,6 +66,7 @@ var upgradeClient = &http.Client{
 	Transport: &http.Transport{
 		DialContext:     dialer.DialContext,
 		Proxy:           http.ProxyFromEnvironment,
+		TLSClientConfig: tlsutil.SecureDefaultWithTLS12(),
 	},
 }
 

lib/ur/failurereporting.go

@@ -20,6 +20,7 @@ import (
 	"github.com/syncthing/syncthing/lib/dialer"
 	"github.com/syncthing/syncthing/lib/events"
 	"github.com/syncthing/syncthing/lib/svcutil"
+	"github.com/syncthing/syncthing/lib/tlsutil"
 
 	"github.com/thejerf/suture/v4"
 )
@@ -210,6 +211,7 @@ func sendFailureReports(ctx context.Context, reports []FailureReport, url string
 		Transport: &http.Transport{
 			DialContext:     dialer.DialContext,
 			Proxy:           http.ProxyFromEnvironment,
+			TLSClientConfig: tlsutil.SecureDefaultWithTLS12(),
 		},
 	}
 

lib/ur/usage_report.go

@@ -352,6 +352,8 @@ func (s *Service) sendUsageReport(ctx context.Context) error {
 			Proxy:       http.ProxyFromEnvironment,
 			TLSClientConfig: &tls.Config{
 				InsecureSkipVerify: s.cfg.Options().URPostInsecurely,
+				MinVersion:         tls.VersionTLS12,
+				ClientSessionCache: tls.NewLRUClientSessionCache(0),
 			},
 		},
 	}