syncthing: better tls params

2 files changed, 33 insertions, 1 deletions

diff --git a/net-p2p/syncthing/files/tls_params.patch b/net-p2p/syncthing/files/tls_params.patch
new file mode 100644
index 0000000..92b79ed
--- /dev/null
+++ b/net-p2p/syncthing/files/tls_params.patch
@@ -0,0 +1,28 @@
+diff --git a/cmd/syncthing/gui.go b/cmd/syncthing/gui.go
+index 29fc35b9..8e080237 100644
+--- a/cmd/syncthing/gui.go
++++ b/cmd/syncthing/gui.go
+@@ -187,19 +187,14 @@ func (s *apiService) getListener(guiCfg config.GUIConfiguration) (net.Listener,
+ 	}
+ 	tlsCfg := &tls.Config{
+ 		Certificates: []tls.Certificate{cert},
+-		MinVersion:   tls.VersionTLS10, // No SSLv3
++		MinVersion:   tls.VersionTLS11,
+ 		CipherSuites: []uint16{
+ 			// No RC4
++			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
++			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
++			tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
+ 			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+ 			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+-			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+-			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+-			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+-			tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+-			tls.TLS_RSA_WITH_AES_128_CBC_SHA,
+-			tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+-			tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+-			tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+ 		},
+ 	}
+ 
diff --git a/net-p2p/syncthing/syncthing-scm.ebuild b/net-p2p/syncthing/syncthing-scm.ebuild
index 1bdbe73..8071fc4 100644
--- a/net-p2p/syncthing/syncthing-scm.ebuild
+++ b/net-p2p/syncthing/syncthing-scm.ebuild
@@ -28,6 +28,10 @@ GO_PN="github.com/${PN}/${PN}"
 EGIT_CHECKOUT_DIR="${S}/src/github.com/syncthing/syncthing"
 S=${EGIT_CHECKOUT_DIR}
 
+PATCHES=(
+	"${FILESDIR}/tls_params.patch"
+)
+
 src_compile() {
 	go run build.go
 }
@@ -58,4 +62,4 @@ pkg_postinst() {
 	elog "To enable it at startup:"
 	elog "  ${ECHO_2}"
 	einfo
-}
\ No newline at end of file
+}