alex2108
commented
9 years ago The check of the certificate seems to be the default of go, should not be too hard to deactivate
Open generalmanager opened 9 years ago
alex2108
commented
9 years ago The check of the certificate seems to be the default of go, should not be too hard to deactivate
generalmanager
commented
9 years ago Thanks for your quick reply! As long as there is no authentication going on (or the ui being on localhost), disabling the TLS check should be justifiable from a security perspective if the data isn't top secret. In all other scenarios this would be a very dangerous thing to do, because it would make a man in the middle attack trivial. A trust on first use based behaviour (TOFU) would be a lot better for that.
This means automatically accepting the certificate when contact is first made and saving it, so that it can't be replaced without a pop-up warning that there is either an active attack going on, or the tray application being run after wiping the pulse config/on a different computer.
Am 21. Oktober 2014 08:32:41 MESZ, schrieb alex2108 notifications@github.com:
The check of the certificate seems to be the default of go, should not be too hard to deactivate
Reply to this email directly or view it on GitHub: https://github.com/alex2108/syncthing-tray/issues/2#issuecomment-59884974
alex2108
commented
9 years ago Trust on first use is better, that's correct. I will have to look how to implement that.
As a fast fix I will deactivate the check but keep this open for a real fix of the problem.
generalmanager
commented
9 years ago Awesome, thanks! Would be nice if you informed the user about the ignoring, if the host is different from localhost/127.0.0.1.
Am 21. Oktober 2014 10:53:01 MESZ, schrieb alex2108 notifications@github.com:
Trust on first use is better, that's correct. I will have to look how to implement that.
As a fast fix I will deactivate the check but keep this open for a real fix of the problem.
Reply to this email directly or view it on GitHub: https://github.com/alex2108/syncthing-tray/issues/2#issuecomment-59897501
alex2108
commented
9 years ago added -i in https://github.com/alex2108/syncthing-tray/commit/7e73ffc0373923b198a80f3223e5737219b8a734 to skip the check
leaving it open with changed title because saving the certificate would be better
generalmanager
commented
9 years ago Thanks for the workaround until it can be done right!
Am 27. Oktober 2014 08:29:57 MEZ, schrieb alex2108 notifications@github.com:
added
-iin https://github.com/alex2108/syncthing-tray/commit/7e73ffc0373923b198a80f3223e5737219b8a734 to skip the check
Reply to this email directly or view it on GitHub: https://github.com/alex2108/syncthing-tray/issues/2#issuecomment-60557791
It seems like it checks if the certificate domain matches the domain given via -target, which fails because of syncthings self-signed certificate with a fake domain:
ERROR: Get https://localhost:8080/rest/config: x509: certificate is valid for syncthing, not localhost