mirror of
https://github.com/octoleo/syncthing.git
synced 2024-12-22 02:48:59 +00:00
chore: enable TLS client cache for HTTPS where appropriate (#9721)
https://forum.syncthing.net/t/infrastructure-report-discovery-stuff/22819/4
This commit is contained in:
parent
a8e2c8edb6
commit
cba163a1fd
@ -116,6 +116,7 @@ func NewGlobal(server string, cert tls.Certificate, addrList AddressLister, evLo
|
||||
InsecureSkipVerify: opts.insecure,
|
||||
Certificates: []tls.Certificate{cert},
|
||||
MinVersion: tls.VersionTLS12,
|
||||
ClientSessionCache: tls.NewLRUClientSessionCache(0),
|
||||
},
|
||||
}),
|
||||
}}
|
||||
@ -134,6 +135,7 @@ func NewGlobal(server string, cert tls.Certificate, addrList AddressLister, evLo
|
||||
TLSClientConfig: &tls.Config{
|
||||
InsecureSkipVerify: opts.insecure,
|
||||
MinVersion: tls.VersionTLS12,
|
||||
ClientSessionCache: tls.NewLRUClientSessionCache(0),
|
||||
},
|
||||
}),
|
||||
}}
|
||||
|
@ -26,9 +26,7 @@ import (
|
||||
|
||||
var (
|
||||
ErrIdentificationFailed = errors.New("failed to identify socket type")
|
||||
)
|
||||
|
||||
var (
|
||||
// The list of cipher suites we will use / suggest for TLS 1.2 connections.
|
||||
cipherSuites = []uint16{
|
||||
// Suites that are good and fast on hardware *without* AES-NI.
|
||||
@ -64,7 +62,8 @@ var (
|
||||
func SecureDefaultTLS13() *tls.Config {
|
||||
return &tls.Config{
|
||||
// TLS 1.3 is the minimum we accept
|
||||
MinVersion: tls.VersionTLS13,
|
||||
MinVersion: tls.VersionTLS13,
|
||||
ClientSessionCache: tls.NewLRUClientSessionCache(0),
|
||||
}
|
||||
}
|
||||
|
||||
@ -83,6 +82,8 @@ func SecureDefaultWithTLS12() *tls.Config {
|
||||
// We've put some thought into this choice and would like it to
|
||||
// matter.
|
||||
PreferServerCipherSuites: true,
|
||||
|
||||
ClientSessionCache: tls.NewLRUClientSessionCache(0),
|
||||
}
|
||||
}
|
||||
|
||||
@ -147,7 +148,7 @@ func NewCertificate(certFile, keyFile string, commonName string, lifetimeDays in
|
||||
return tls.Certificate{}, fmt.Errorf("save cert: %w", err)
|
||||
}
|
||||
|
||||
keyOut, err := os.OpenFile(keyFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
|
||||
keyOut, err := os.OpenFile(keyFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0o600)
|
||||
if err != nil {
|
||||
return tls.Certificate{}, fmt.Errorf("save key: %w", err)
|
||||
}
|
||||
|
@ -30,6 +30,7 @@ import (
|
||||
"github.com/shirou/gopsutil/v4/host"
|
||||
"github.com/syncthing/syncthing/lib/dialer"
|
||||
"github.com/syncthing/syncthing/lib/signature"
|
||||
"github.com/syncthing/syncthing/lib/tlsutil"
|
||||
"golang.org/x/net/http2"
|
||||
)
|
||||
|
||||
@ -63,8 +64,9 @@ const (
|
||||
var upgradeClient = &http.Client{
|
||||
Timeout: readTimeout,
|
||||
Transport: &http.Transport{
|
||||
DialContext: dialer.DialContext,
|
||||
Proxy: http.ProxyFromEnvironment,
|
||||
DialContext: dialer.DialContext,
|
||||
Proxy: http.ProxyFromEnvironment,
|
||||
TLSClientConfig: tlsutil.SecureDefaultWithTLS12(),
|
||||
},
|
||||
}
|
||||
|
||||
|
@ -20,6 +20,7 @@ import (
|
||||
"github.com/syncthing/syncthing/lib/dialer"
|
||||
"github.com/syncthing/syncthing/lib/events"
|
||||
"github.com/syncthing/syncthing/lib/svcutil"
|
||||
"github.com/syncthing/syncthing/lib/tlsutil"
|
||||
|
||||
"github.com/thejerf/suture/v4"
|
||||
)
|
||||
@ -208,8 +209,9 @@ func sendFailureReports(ctx context.Context, reports []FailureReport, url string
|
||||
|
||||
client := &http.Client{
|
||||
Transport: &http.Transport{
|
||||
DialContext: dialer.DialContext,
|
||||
Proxy: http.ProxyFromEnvironment,
|
||||
DialContext: dialer.DialContext,
|
||||
Proxy: http.ProxyFromEnvironment,
|
||||
TLSClientConfig: tlsutil.SecureDefaultWithTLS12(),
|
||||
},
|
||||
}
|
||||
|
||||
|
@ -352,6 +352,8 @@ func (s *Service) sendUsageReport(ctx context.Context) error {
|
||||
Proxy: http.ProxyFromEnvironment,
|
||||
TLSClientConfig: &tls.Config{
|
||||
InsecureSkipVerify: s.cfg.Options().URPostInsecurely,
|
||||
MinVersion: tls.VersionTLS12,
|
||||
ClientSessionCache: tls.NewLRUClientSessionCache(0),
|
||||
},
|
||||
},
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user