From c9c897f051ae6fba99eed25f10cbaf8061d40074 Mon Sep 17 00:00:00 2001 From: Gluzskiy Alexandr Date: Sun, 29 Apr 2018 17:41:49 +0300 Subject: syncthing: better tls params --- net-p2p/syncthing/files/tls_params.patch | 28 ++++++++++++++++++++++++++++ net-p2p/syncthing/syncthing-scm.ebuild | 6 +++++- 2 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 net-p2p/syncthing/files/tls_params.patch diff --git a/net-p2p/syncthing/files/tls_params.patch b/net-p2p/syncthing/files/tls_params.patch new file mode 100644 index 0000000..92b79ed --- /dev/null +++ b/net-p2p/syncthing/files/tls_params.patch @@ -0,0 +1,28 @@ +diff --git a/cmd/syncthing/gui.go b/cmd/syncthing/gui.go +index 29fc35b9..8e080237 100644 +--- a/cmd/syncthing/gui.go ++++ b/cmd/syncthing/gui.go +@@ -187,19 +187,14 @@ func (s *apiService) getListener(guiCfg config.GUIConfiguration) (net.Listener, + } + tlsCfg := &tls.Config{ + Certificates: []tls.Certificate{cert}, +- MinVersion: tls.VersionTLS10, // No SSLv3 ++ MinVersion: tls.VersionTLS11, + CipherSuites: []uint16{ + // No RC4 ++ tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, ++ tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, ++ tls.TLS_RSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, +- tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, +- tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, +- tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, +- tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, +- tls.TLS_RSA_WITH_AES_128_CBC_SHA, +- tls.TLS_RSA_WITH_AES_256_CBC_SHA, +- tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, +- tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, + }, + } + diff --git a/net-p2p/syncthing/syncthing-scm.ebuild b/net-p2p/syncthing/syncthing-scm.ebuild index 1bdbe73..8071fc4 100644 --- a/net-p2p/syncthing/syncthing-scm.ebuild +++ b/net-p2p/syncthing/syncthing-scm.ebuild @@ -28,6 +28,10 @@ GO_PN="github.com/${PN}/${PN}" EGIT_CHECKOUT_DIR="${S}/src/github.com/syncthing/syncthing" S=${EGIT_CHECKOUT_DIR} +PATCHES=( + "${FILESDIR}/tls_params.patch" +) + src_compile() { go run build.go } @@ -58,4 +62,4 @@ pkg_postinst() { elog "To enable it at startup:" elog " ${ECHO_2}" einfo -} \ No newline at end of file +} -- cgit v1.2.3