8519a24ba6
This changes the TLS and certificate handling in a few ways: - We always use TLS 1.2, both for sync connections (as previously) and the GUI/REST/discovery stuff. This is a tightening of the requirements on the GUI. AS far as I can tell from caniusethis.com every browser from 2013 and forward supports TLS 1.2, so I think we should be fine. - We always greate ECDSA certificates. Previously we'd create ECDSA-with-RSA certificates for sync connections and pure RSA certificates for the web stuff. The new default is more modern and the same everywhere. These certificates are OK in TLS 1.2. - We use the Go CPU detection stuff to choose the cipher suites to use, indirectly. The TLS package uses CPU capabilities probing to select either AES-GCM (fast if we have AES-NI) or ChaCha20 (faster if we don't). These CPU detection things aren't exported though, so the tlsutil package now does a quick TLS handshake with itself as part of init(). If the chosen cipher suite was AES-GCM we prioritize that, otherwise we prefer ChaCha20. Some might call this ugly. I think it's awesome.
relaypoolsrv
This is the relay pool server for the syncthing project, which allows
community hosted relaysrv's to join
the public pool.
Servers that join the pool are then advertised to users of syncthing as
potential connection points for those who are unable to connect directly due
to NAT or firewall issues.
There is very little reason why you'd want to run this yourself, as
relaypoolsrv is just used for announcement and lookup of public relay
servers. If you are looking to setup a private or a public relay, please
check the documentation for
relaysrv, which also explains how
to join the default public pool.
See relaypoolsrv -help for configuration options.
Third-party attributions
oschwald/geoip2-golang, oschwald/maxminddb-golang, Copyright (C) 2015 Gregory J. Oschwald.
lib/pq, Copyright (C) 2011-2013 'pq' Contributors Portions Copyright (C) 2011 Blake Mizerany.