Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 24 Aug 2020 17:50:38 +0000 (UTC)
From:      Steve Wills <swills@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r546103 - in head/net/syncthing: . files
Message-ID:  <202008241750.07OHocIa025065@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: swills
Date: Mon Aug 24 17:50:38 2020
New Revision: 546103
URL: https://svnweb.freebsd.org/changeset/ports/546103

Log:
  net/syncthing: fix SSL errors due to Go 1.15 behaviour change
  
  PR:		248867
  Submitted by:	James French <james@french.id.au>

Added:
  head/net/syncthing/files/patch-syncthing_lib_api_api.go   (contents, props changed)
  head/net/syncthing/files/patch-syncthing_lib_api_api__test.go   (contents, props changed)
  head/net/syncthing/files/patch-syncthing_lib_connections_service.go   (contents, props changed)
  head/net/syncthing/files/patch-syncthing_lib_tlsutil_tlsutil.go   (contents, props changed)
Modified:
  head/net/syncthing/Makefile   (contents, props changed)

Modified: head/net/syncthing/Makefile
==============================================================================
--- head/net/syncthing/Makefile	Mon Aug 24 17:40:54 2020	(r546102)
+++ head/net/syncthing/Makefile	Mon Aug 24 17:50:38 2020	(r546103)
@@ -2,6 +2,7 @@
 
 PORTNAME=	syncthing
 PORTVERSION=	1.8.0
+PORTREVISION=	1
 DISTVERSIONPREFIX=	v
 CATEGORIES=	net
 MASTER_SITES=	https://github.com/syncthing/syncthing/releases/download/v${PORTVERSION}/

Added: head/net/syncthing/files/patch-syncthing_lib_api_api.go
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/net/syncthing/files/patch-syncthing_lib_api_api.go	Mon Aug 24 17:50:38 2020	(r546103)
@@ -0,0 +1,47 @@
+--- syncthing/lib/api/api.go.orig	2020-08-11 08:56:46 UTC
++++ syncthing/lib/api/api.go
+@@ -149,7 +149,7 @@ func (s *service) getListener(guiCfg config.GUIConfigu
+ 	// If the certificate has expired or will expire in the next month, fail
+ 	// it and generate a new one.
+ 	if err == nil {
+-		err = checkExpiry(cert)
++		err = shouldRegenerateCertificate(cert)
+ 	}
+ 	if err != nil {
+ 		l.Infoln("Loading HTTPS certificate:", err)
+@@ -1736,7 +1736,11 @@ func addressIsLocalhost(addr string) bool {
+ 	}
+ }
+ 
+-func checkExpiry(cert tls.Certificate) error {
++// shouldRegenerateCertificate checks for certificate expiry or other known
++// issues with our API/GUI certificate and returns either nil (leave the
++// certificate alone) or an error describing the reason the certificate
++// should be regenerated.
++func shouldRegenerateCertificate(cert tls.Certificate) error {
+ 	leaf := cert.Leaf
+ 	if leaf == nil {
+ 		// Leaf can be nil or not, depending on how parsed the certificate
+@@ -1752,10 +1756,19 @@ func checkExpiry(cert tls.Certificate) error {
+ 		}
+ 	}
+ 
+-	if leaf.Subject.String() != leaf.Issuer.String() ||
+-		len(leaf.DNSNames) != 0 || len(leaf.IPAddresses) != 0 {
+-		// The certificate is not self signed, or has DNS/IP attributes we don't
++	if leaf.Subject.String() != leaf.Issuer.String() || len(leaf.IPAddresses) != 0 {
++		// The certificate is not self signed, or has IP attributes we don't
+ 		// add, so we leave it alone.
++		return nil
++	}
++	if len(leaf.DNSNames) > 1 {
++		// The certificate has more DNS SANs attributes than we ever add, so
++		// we leave it alone.
++		return nil
++	}
++	if len(leaf.DNSNames) == 1 && leaf.DNSNames[0] != leaf.Issuer.CommonName {
++		// The one SAN is different from the issuer, so it's not one of our
++		// newer self signed certificates.
+ 		return nil
+ 	}
+ 

Added: head/net/syncthing/files/patch-syncthing_lib_api_api__test.go
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/net/syncthing/files/patch-syncthing_lib_api_api__test.go	Mon Aug 24 17:50:38 2020	(r546103)
@@ -0,0 +1,38 @@
+--- syncthing/lib/api/api_test.go.orig	2020-08-11 08:56:46 UTC
++++ syncthing/lib/api/api_test.go
+@@ -1136,7 +1136,7 @@ func TestPrefixMatch(t *testing.T) {
+ 	}
+ }
+ 
+-func TestCheckExpiry(t *testing.T) {
++func TestShouldRegenerateCertificate(t *testing.T) {
+ 	dir, err := ioutil.TempDir("", "syncthing-test")
+ 	if err != nil {
+ 		t.Fatal(err)
+@@ -1149,7 +1149,7 @@ func TestCheckExpiry(t *testing.T) {
+ 	if err != nil {
+ 		t.Fatal(err)
+ 	}
+-	if err := checkExpiry(crt); err == nil {
++	if err := shouldRegenerateCertificate(crt); err == nil {
+ 		t.Error("expected expiry error")
+ 	}
+ 
+@@ -1158,7 +1158,7 @@ func TestCheckExpiry(t *testing.T) {
+ 	if err != nil {
+ 		t.Fatal(err)
+ 	}
+-	if err := checkExpiry(crt); err != nil {
++	if err := shouldRegenerateCertificate(crt); err != nil {
+ 		t.Error("expected no error:", err)
+ 	}
+ 
+@@ -1168,7 +1168,7 @@ func TestCheckExpiry(t *testing.T) {
+ 		if err != nil {
+ 			t.Fatal(err)
+ 		}
+-		if err := checkExpiry(crt); err == nil {
++		if err := shouldRegenerateCertificate(crt); err == nil {
+ 			t.Error("expected expiry error")
+ 		}
+ 	}

Added: head/net/syncthing/files/patch-syncthing_lib_connections_service.go
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/net/syncthing/files/patch-syncthing_lib_connections_service.go	Mon Aug 24 17:50:38 2020	(r546103)
@@ -0,0 +1,15 @@
+--- syncthing/lib/connections/service.go.orig	2020-08-11 08:56:46 UTC
++++ syncthing/lib/connections/service.go
+@@ -305,7 +305,11 @@ func (s *service) handle(ctx context.Context) {
+ 		if certName == "" {
+ 			certName = s.tlsDefaultCommonName
+ 		}
+-		if err := remoteCert.VerifyHostname(certName); err != nil {
++		if remoteCert.Subject.CommonName == certName {
++			// All good. We do this check because our old style certificates
++			// have "syncthing" in the CommonName field and no SANs, which
++			// is not accepted by VerifyHostname() any more as of Go 1.15.
++		} else if err := remoteCert.VerifyHostname(certName); err != nil {
+ 			// Incorrect certificate name is something the user most
+ 			// likely wants to know about, since it's an advanced
+ 			// config. Warn instead of Info.

Added: head/net/syncthing/files/patch-syncthing_lib_tlsutil_tlsutil.go
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/net/syncthing/files/patch-syncthing_lib_tlsutil_tlsutil.go	Mon Aug 24 17:50:38 2020	(r546103)
@@ -0,0 +1,10 @@
+--- syncthing/lib/tlsutil/tlsutil.go.orig	2020-08-11 08:56:46 UTC
++++ syncthing/lib/tlsutil/tlsutil.go
+@@ -106,6 +106,7 @@ func NewCertificate(certFile, keyFile, commonName stri
+ 		Subject: pkix.Name{
+ 			CommonName: commonName,
+ 		},
++		DNSNames:              []string{commonName},
+ 		NotBefore:             notBefore,
+ 		NotAfter:              notAfter,
+ 		SignatureAlgorithm:    x509.ECDSAWithSHA256,



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202008241750.07OHocIa025065>