FreeBSD Bugzilla – Attachment 217476 Details for
Bug 248867
net/syncthing: SSL errors due to Go 1.15 behaviour change
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Backported patch from 1.9 development
syncthing.patch (text/plain), 5.78 KB, created by
James French
on 2020-08-24 05:36:44 UTC
(
hide
)
Description:
Backported patch from 1.9 development
Filename:
MIME Type:
Creator:
James French
Created:
2020-08-24 05:36:44 UTC
Size:
5.78 KB
patch
obsolete
>diff -urN net/syncthing/Makefile net/syncthing/Makefile >--- net/syncthing/Makefile 2020-08-16 04:00:09.550558000 +0800 >+++ net/syncthing/Makefile 2020-08-24 13:29:41.234615000 +0800 >@@ -2,6 +2,7 @@ > > PORTNAME= syncthing > PORTVERSION= 1.8.0 >+PORTREVISION= 1 > DISTVERSIONPREFIX= v > CATEGORIES= net > MASTER_SITES= https://github.com/syncthing/syncthing/releases/download/v${PORTVERSION}/ >diff -urN net/syncthing/files/patch-syncthing_lib_api_api.go net/syncthing/files/patch-syncthing_lib_api_api.go >--- net/syncthing/files/patch-syncthing_lib_api_api.go 1970-01-01 08:00:00.000000000 +0800 >+++ net/syncthing/files/patch-syncthing_lib_api_api.go 2020-08-24 12:49:48.064216000 +0800 >@@ -0,0 +1,47 @@ >+--- syncthing/lib/api/api.go.orig 2020-08-11 08:56:46 UTC >++++ syncthing/lib/api/api.go >+@@ -149,7 +149,7 @@ func (s *service) getListener(guiCfg config.GUIConfigu >+ // If the certificate has expired or will expire in the next month, fail >+ // it and generate a new one. >+ if err == nil { >+- err = checkExpiry(cert) >++ err = shouldRegenerateCertificate(cert) >+ } >+ if err != nil { >+ l.Infoln("Loading HTTPS certificate:", err) >+@@ -1736,7 +1736,11 @@ func addressIsLocalhost(addr string) bool { >+ } >+ } >+ >+-func checkExpiry(cert tls.Certificate) error { >++// shouldRegenerateCertificate checks for certificate expiry or other known >++// issues with our API/GUI certificate and returns either nil (leave the >++// certificate alone) or an error describing the reason the certificate >++// should be regenerated. >++func shouldRegenerateCertificate(cert tls.Certificate) error { >+ leaf := cert.Leaf >+ if leaf == nil { >+ // Leaf can be nil or not, depending on how parsed the certificate >+@@ -1752,10 +1756,19 @@ func checkExpiry(cert tls.Certificate) error { >+ } >+ } >+ >+- if leaf.Subject.String() != leaf.Issuer.String() || >+- len(leaf.DNSNames) != 0 || len(leaf.IPAddresses) != 0 { >+- // The certificate is not self signed, or has DNS/IP attributes we don't >++ if leaf.Subject.String() != leaf.Issuer.String() || len(leaf.IPAddresses) != 0 { >++ // The certificate is not self signed, or has IP attributes we don't >+ // add, so we leave it alone. >++ return nil >++ } >++ if len(leaf.DNSNames) > 1 { >++ // The certificate has more DNS SANs attributes than we ever add, so >++ // we leave it alone. >++ return nil >++ } >++ if len(leaf.DNSNames) == 1 && leaf.DNSNames[0] != leaf.Issuer.CommonName { >++ // The one SAN is different from the issuer, so it's not one of our >++ // newer self signed certificates. >+ return nil >+ } >+ >diff -urN net/syncthing/files/patch-syncthing_lib_api_api__test.go net/syncthing/files/patch-syncthing_lib_api_api__test.go >--- net/syncthing/files/patch-syncthing_lib_api_api__test.go 1970-01-01 08:00:00.000000000 +0800 >+++ net/syncthing/files/patch-syncthing_lib_api_api__test.go 2020-08-24 12:49:48.067354000 +0800 >@@ -0,0 +1,38 @@ >+--- syncthing/lib/api/api_test.go.orig 2020-08-11 08:56:46 UTC >++++ syncthing/lib/api/api_test.go >+@@ -1136,7 +1136,7 @@ func TestPrefixMatch(t *testing.T) { >+ } >+ } >+ >+-func TestCheckExpiry(t *testing.T) { >++func TestShouldRegenerateCertificate(t *testing.T) { >+ dir, err := ioutil.TempDir("", "syncthing-test") >+ if err != nil { >+ t.Fatal(err) >+@@ -1149,7 +1149,7 @@ func TestCheckExpiry(t *testing.T) { >+ if err != nil { >+ t.Fatal(err) >+ } >+- if err := checkExpiry(crt); err == nil { >++ if err := shouldRegenerateCertificate(crt); err == nil { >+ t.Error("expected expiry error") >+ } >+ >+@@ -1158,7 +1158,7 @@ func TestCheckExpiry(t *testing.T) { >+ if err != nil { >+ t.Fatal(err) >+ } >+- if err := checkExpiry(crt); err != nil { >++ if err := shouldRegenerateCertificate(crt); err != nil { >+ t.Error("expected no error:", err) >+ } >+ >+@@ -1168,7 +1168,7 @@ func TestCheckExpiry(t *testing.T) { >+ if err != nil { >+ t.Fatal(err) >+ } >+- if err := checkExpiry(crt); err == nil { >++ if err := shouldRegenerateCertificate(crt); err == nil { >+ t.Error("expected expiry error") >+ } >+ } >diff -urN net/syncthing/files/patch-syncthing_lib_connections_service.go net/syncthing/files/patch-syncthing_lib_connections_service.go >--- net/syncthing/files/patch-syncthing_lib_connections_service.go 1970-01-01 08:00:00.000000000 +0800 >+++ net/syncthing/files/patch-syncthing_lib_connections_service.go 2020-08-24 12:49:48.070338000 +0800 >@@ -0,0 +1,15 @@ >+--- syncthing/lib/connections/service.go.orig 2020-08-11 08:56:46 UTC >++++ syncthing/lib/connections/service.go >+@@ -305,7 +305,11 @@ func (s *service) handle(ctx context.Context) { >+ if certName == "" { >+ certName = s.tlsDefaultCommonName >+ } >+- if err := remoteCert.VerifyHostname(certName); err != nil { >++ if remoteCert.Subject.CommonName == certName { >++ // All good. We do this check because our old style certificates >++ // have "syncthing" in the CommonName field and no SANs, which >++ // is not accepted by VerifyHostname() any more as of Go 1.15. >++ } else if err := remoteCert.VerifyHostname(certName); err != nil { >+ // Incorrect certificate name is something the user most >+ // likely wants to know about, since it's an advanced >+ // config. Warn instead of Info. >diff -urN net/syncthing/files/patch-syncthing_lib_tlsutil_tlsutil.go net/syncthing/files/patch-syncthing_lib_tlsutil_tlsutil.go >--- net/syncthing/files/patch-syncthing_lib_tlsutil_tlsutil.go 1970-01-01 08:00:00.000000000 +0800 >+++ net/syncthing/files/patch-syncthing_lib_tlsutil_tlsutil.go 2020-08-24 12:49:48.073400000 +0800 >@@ -0,0 +1,10 @@ >+--- syncthing/lib/tlsutil/tlsutil.go.orig 2020-08-11 08:56:46 UTC >++++ syncthing/lib/tlsutil/tlsutil.go >+@@ -106,6 +106,7 @@ func NewCertificate(certFile, keyFile, commonName stri >+ Subject: pkix.Name{ >+ CommonName: commonName, >+ }, >++ DNSNames: []string{commonName}, >+ NotBefore: notBefore, >+ NotAfter: notAfter, >+ SignatureAlgorithm: x509.ECDSAWithSHA256,
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=217476">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 248867
: 217476 |
217477