chore: enable TLS client cache for HTTPS where appropriate (#9721)

https://forum.syncthing.net/t/infrastructure-report-discovery-stuff/22819/4
2024-12-22 02:48:59 +00:00 · 2024-09-24 08:55:04 +02:00 · 2024-09-24 08:55:04 +02:00 · cba163a1fd
commit cba163a1fd
parent a8e2c8edb6
5 changed files with 17 additions and 8 deletions
--- a/lib/discover/global.go
+++ b/lib/discover/global.go
@ -116,6 +116,7 @@ func NewGlobal(server string, cert tls.Certificate, addrList AddressLister, evLo
 				InsecureSkipVerify: opts.insecure,
 				Certificates:       []tls.Certificate{cert},
 				MinVersion:         tls.VersionTLS12,
+				ClientSessionCache: tls.NewLRUClientSessionCache(0),
 			},
 		}),
 	}}
@ -134,6 +135,7 @@ func NewGlobal(server string, cert tls.Certificate, addrList AddressLister, evLo
 			TLSClientConfig: &tls.Config{
 				InsecureSkipVerify: opts.insecure,
 				MinVersion:         tls.VersionTLS12,
+				ClientSessionCache: tls.NewLRUClientSessionCache(0),
 			},
 		}),
 	}}
--- a/lib/tlsutil/tlsutil.go
+++ b/lib/tlsutil/tlsutil.go
@ -26,9 +26,7 @@ import (

 var (
 	ErrIdentificationFailed = errors.New("failed to identify socket type")
-)

-var (
 	// The list of cipher suites we will use / suggest for TLS 1.2 connections.
 	cipherSuites = []uint16{
 		// Suites that are good and fast on hardware *without* AES-NI.
@ -65,6 +63,7 @@ func SecureDefaultTLS13() *tls.Config {
 	return &tls.Config{
 		// TLS 1.3 is the minimum we accept
 		MinVersion:         tls.VersionTLS13,
+		ClientSessionCache: tls.NewLRUClientSessionCache(0),
 	}
 }

@ -83,6 +82,8 @@ func SecureDefaultWithTLS12() *tls.Config {
 		// We've put some thought into this choice and would like it to
 		// matter.
 		PreferServerCipherSuites: true,
+
+		ClientSessionCache: tls.NewLRUClientSessionCache(0),
 	}
 }

@ -147,7 +148,7 @@ func NewCertificate(certFile, keyFile string, commonName string, lifetimeDays in
 		return tls.Certificate{}, fmt.Errorf("save cert: %w", err)
 	}

-	keyOut, err := os.OpenFile(keyFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+	keyOut, err := os.OpenFile(keyFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0o600)
 	if err != nil {
 		return tls.Certificate{}, fmt.Errorf("save key: %w", err)
 	}
--- a/lib/upgrade/upgrade_supported.go
+++ b/lib/upgrade/upgrade_supported.go
@ -30,6 +30,7 @@ import (
 	"github.com/shirou/gopsutil/v4/host"
 	"github.com/syncthing/syncthing/lib/dialer"
 	"github.com/syncthing/syncthing/lib/signature"
+	"github.com/syncthing/syncthing/lib/tlsutil"
 	"golang.org/x/net/http2"
 )

@ -65,6 +66,7 @@ var upgradeClient = &http.Client{
 	Transport: &http.Transport{
 		DialContext:     dialer.DialContext,
 		Proxy:           http.ProxyFromEnvironment,
+		TLSClientConfig: tlsutil.SecureDefaultWithTLS12(),
 	},
 }

--- a/lib/ur/failurereporting.go
+++ b/lib/ur/failurereporting.go
@ -20,6 +20,7 @@ import (
 	"github.com/syncthing/syncthing/lib/dialer"
 	"github.com/syncthing/syncthing/lib/events"
 	"github.com/syncthing/syncthing/lib/svcutil"
+	"github.com/syncthing/syncthing/lib/tlsutil"

 	"github.com/thejerf/suture/v4"
 )
@ -210,6 +211,7 @@ func sendFailureReports(ctx context.Context, reports []FailureReport, url string
 		Transport: &http.Transport{
 			DialContext:     dialer.DialContext,
 			Proxy:           http.ProxyFromEnvironment,
+			TLSClientConfig: tlsutil.SecureDefaultWithTLS12(),
 		},
 	}

--- a/lib/ur/usage_report.go
+++ b/lib/ur/usage_report.go
@ -352,6 +352,8 @@ func (s *Service) sendUsageReport(ctx context.Context) error {
 			Proxy:       http.ProxyFromEnvironment,
 			TLSClientConfig: &tls.Config{
 				InsecureSkipVerify: s.cfg.Options().URPostInsecurely,
+				MinVersion:         tls.VersionTLS12,
+				ClientSessionCache: tls.NewLRUClientSessionCache(0),
 			},
 		},
 	}