Date: Mon, 24 Aug 2020 17:50:38 +0000 (UTC) From: Steve Wills <swills@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r546103 - in head/net/syncthing: . files Message-ID: <202008241750.07OHocIa025065@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: swills Date: Mon Aug 24 17:50:38 2020 New Revision: 546103 URL: https://svnweb.freebsd.org/changeset/ports/546103 Log: net/syncthing: fix SSL errors due to Go 1.15 behaviour change PR: 248867 Submitted by: James French <james@french.id.au> Added: head/net/syncthing/files/patch-syncthing_lib_api_api.go (contents, props changed) head/net/syncthing/files/patch-syncthing_lib_api_api__test.go (contents, props changed) head/net/syncthing/files/patch-syncthing_lib_connections_service.go (contents, props changed) head/net/syncthing/files/patch-syncthing_lib_tlsutil_tlsutil.go (contents, props changed) Modified: head/net/syncthing/Makefile (contents, props changed) Modified: head/net/syncthing/Makefile ============================================================================== --- head/net/syncthing/Makefile Mon Aug 24 17:40:54 2020 (r546102) +++ head/net/syncthing/Makefile Mon Aug 24 17:50:38 2020 (r546103) @@ -2,6 +2,7 @@ PORTNAME= syncthing PORTVERSION= 1.8.0 +PORTREVISION= 1 DISTVERSIONPREFIX= v CATEGORIES= net MASTER_SITES= https://github.com/syncthing/syncthing/releases/download/v${PORTVERSION}/ Added: head/net/syncthing/files/patch-syncthing_lib_api_api.go ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/net/syncthing/files/patch-syncthing_lib_api_api.go Mon Aug 24 17:50:38 2020 (r546103) @@ -0,0 +1,47 @@ +--- syncthing/lib/api/api.go.orig 2020-08-11 08:56:46 UTC ++++ syncthing/lib/api/api.go +@@ -149,7 +149,7 @@ func (s *service) getListener(guiCfg config.GUIConfigu + // If the certificate has expired or will expire in the next month, fail + // it and generate a new one. + if err == nil { +- err = checkExpiry(cert) ++ err = shouldRegenerateCertificate(cert) + } + if err != nil { + l.Infoln("Loading HTTPS certificate:", err) +@@ -1736,7 +1736,11 @@ func addressIsLocalhost(addr string) bool { + } + } + +-func checkExpiry(cert tls.Certificate) error { ++// shouldRegenerateCertificate checks for certificate expiry or other known ++// issues with our API/GUI certificate and returns either nil (leave the ++// certificate alone) or an error describing the reason the certificate ++// should be regenerated. ++func shouldRegenerateCertificate(cert tls.Certificate) error { + leaf := cert.Leaf + if leaf == nil { + // Leaf can be nil or not, depending on how parsed the certificate +@@ -1752,10 +1756,19 @@ func checkExpiry(cert tls.Certificate) error { + } + } + +- if leaf.Subject.String() != leaf.Issuer.String() || +- len(leaf.DNSNames) != 0 || len(leaf.IPAddresses) != 0 { +- // The certificate is not self signed, or has DNS/IP attributes we don't ++ if leaf.Subject.String() != leaf.Issuer.String() || len(leaf.IPAddresses) != 0 { ++ // The certificate is not self signed, or has IP attributes we don't + // add, so we leave it alone. ++ return nil ++ } ++ if len(leaf.DNSNames) > 1 { ++ // The certificate has more DNS SANs attributes than we ever add, so ++ // we leave it alone. ++ return nil ++ } ++ if len(leaf.DNSNames) == 1 && leaf.DNSNames[0] != leaf.Issuer.CommonName { ++ // The one SAN is different from the issuer, so it's not one of our ++ // newer self signed certificates. + return nil + } + Added: head/net/syncthing/files/patch-syncthing_lib_api_api__test.go ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/net/syncthing/files/patch-syncthing_lib_api_api__test.go Mon Aug 24 17:50:38 2020 (r546103) @@ -0,0 +1,38 @@ +--- syncthing/lib/api/api_test.go.orig 2020-08-11 08:56:46 UTC ++++ syncthing/lib/api/api_test.go +@@ -1136,7 +1136,7 @@ func TestPrefixMatch(t *testing.T) { + } + } + +-func TestCheckExpiry(t *testing.T) { ++func TestShouldRegenerateCertificate(t *testing.T) { + dir, err := ioutil.TempDir("", "syncthing-test") + if err != nil { + t.Fatal(err) +@@ -1149,7 +1149,7 @@ func TestCheckExpiry(t *testing.T) { + if err != nil { + t.Fatal(err) + } +- if err := checkExpiry(crt); err == nil { ++ if err := shouldRegenerateCertificate(crt); err == nil { + t.Error("expected expiry error") + } + +@@ -1158,7 +1158,7 @@ func TestCheckExpiry(t *testing.T) { + if err != nil { + t.Fatal(err) + } +- if err := checkExpiry(crt); err != nil { ++ if err := shouldRegenerateCertificate(crt); err != nil { + t.Error("expected no error:", err) + } + +@@ -1168,7 +1168,7 @@ func TestCheckExpiry(t *testing.T) { + if err != nil { + t.Fatal(err) + } +- if err := checkExpiry(crt); err == nil { ++ if err := shouldRegenerateCertificate(crt); err == nil { + t.Error("expected expiry error") + } + } Added: head/net/syncthing/files/patch-syncthing_lib_connections_service.go ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/net/syncthing/files/patch-syncthing_lib_connections_service.go Mon Aug 24 17:50:38 2020 (r546103) @@ -0,0 +1,15 @@ +--- syncthing/lib/connections/service.go.orig 2020-08-11 08:56:46 UTC ++++ syncthing/lib/connections/service.go +@@ -305,7 +305,11 @@ func (s *service) handle(ctx context.Context) { + if certName == "" { + certName = s.tlsDefaultCommonName + } +- if err := remoteCert.VerifyHostname(certName); err != nil { ++ if remoteCert.Subject.CommonName == certName { ++ // All good. We do this check because our old style certificates ++ // have "syncthing" in the CommonName field and no SANs, which ++ // is not accepted by VerifyHostname() any more as of Go 1.15. ++ } else if err := remoteCert.VerifyHostname(certName); err != nil { + // Incorrect certificate name is something the user most + // likely wants to know about, since it's an advanced + // config. Warn instead of Info. Added: head/net/syncthing/files/patch-syncthing_lib_tlsutil_tlsutil.go ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/net/syncthing/files/patch-syncthing_lib_tlsutil_tlsutil.go Mon Aug 24 17:50:38 2020 (r546103) @@ -0,0 +1,10 @@ +--- syncthing/lib/tlsutil/tlsutil.go.orig 2020-08-11 08:56:46 UTC ++++ syncthing/lib/tlsutil/tlsutil.go +@@ -106,6 +106,7 @@ func NewCertificate(certFile, keyFile, commonName stri + Subject: pkix.Name{ + CommonName: commonName, + }, ++ DNSNames: []string{commonName}, + NotBefore: notBefore, + NotAfter: notAfter, + SignatureAlgorithm: x509.ECDSAWithSHA256,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202008241750.07OHocIa025065>