From 64354b51c9f9981a9a572c9338e9856c55ace837 Mon Sep 17 00:00:00 2001
From: Jakob Borg <jakob@nym.se>
Date: Wed, 9 Sep 2015 12:55:17 +0200
Subject: [PATCH] Generate certs with SHA256 signature instead of SHA1

Doesn't matter at all for BEP, but the same stuff is used by the web UI
and modern browsers are starting to dislike SHA1 extra much.
---
 cmd/syncthing/main.go  | 5 ++++-
 lib/tlsutil/tlsutil.go | 1 +
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/cmd/syncthing/main.go b/cmd/syncthing/main.go
index 4dce776c..446dec53 100644
--- a/cmd/syncthing/main.go
+++ b/cmd/syncthing/main.go
@@ -302,9 +302,12 @@ func main() {
 			l.Infoln("Device ID:", protocol.NewDeviceID(cert.Certificate[0]))
 		} else {
 			cert, err = tlsutil.NewCertificate(certFile, keyFile, tlsDefaultCommonName, tlsRSABits)
+			if err != nil {
+				l.Fatalln("Create certificate:", err)
+			}
 			myID = protocol.NewDeviceID(cert.Certificate[0])
 			if err != nil {
-				l.Fatalln("load cert:", err)
+				l.Fatalln("Load certificate:", err)
 			}
 			if err == nil {
 				l.Infoln("Device ID:", protocol.NewDeviceID(cert.Certificate[0]))
diff --git a/lib/tlsutil/tlsutil.go b/lib/tlsutil/tlsutil.go
index 3820cb51..f8e5365e 100644
--- a/lib/tlsutil/tlsutil.go
+++ b/lib/tlsutil/tlsutil.go
@@ -47,6 +47,7 @@ func NewCertificate(certFile, keyFile, tlsDefaultCommonName string, tlsRSABits i
 		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
 		BasicConstraintsValid: true,
+		SignatureAlgorithm:    x509.SHA256WithRSA,
 	}
 
 	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)