how is syncthing accepting the connection with the Certificate.

how is syncthing accepting the connection with the Certificate.

The CN is “syncthing” for all connection (clients).

why did the connection not fail at the handshake.

And how to make the:

Key use:
Use: Certificate signature
critical: Yes

Extensive key use:
Permitted purposes: Server authentication Client authentication
critical: No.

Basic Restrictions:
Certificate authority :no
critical:yes

normally this is:

Key identification for 'subject':
Key identification: BF DF __
critical: No.

Extension:
Identification: 2.5.29.35
Value: 30 16 80 14 BF DF __
critical: No.

Basic restrictions:
Certificate authority: Yes
Maximum path length: Unlimited
critical: No.

The connection doesn’t fail because Syncthing verifies the device ID. I’m not sure what your second question is. This documentation article is relevant: https://docs.syncthing.net/dev/device-ids.html

I try to make a Certificate. with openssl but the connect asks the CN (3rd party) not at syncthing (device ID)? How is the Certificate made for syncthing?

Syncthing expects the CN to be syncthing - there is an advanced config you can set to another value per device if you want to use a custom certificate with a different CN. Apart from that it’s just a regular self signed certificate, no magic.

No magic, little voodoo, at parameter keyUsage=critical, nonRepudiation, cRLSign

syncthing:

Sleutelgebruik
Gebruik:	Certificaatondertekening
Kritiek:	Ja

test:

Sleutelgebruik
Gebruik:	Digitale handtekening

                Certificaatondertekening

Kritiek:	Ja

Certificaatondertekening has “Certificaatondertekening” a unique name? And is this important for accepting the connection?

Ps.: remove nonRepudiation or cRLSign and “Digitale handtekening” will stay there, “Certificaatondertekening” will disappear.

[ v3_ca ]
keyUsage=critical, nonRepudiation, cRLSign
extendedKeyUsage=serverAuth,clientAuth
basicConstraints = critical,CA:FALSE

I have literally no idea what you are talking about. These concepts you talk about have no meaning in english.

Those are key usage bits, but in like dutch or something. We set the bits for encryption, digital signatures, server auth, and client auth when creating the certificate. We don’t actually care what bits are set after that point, other than what the Go TLS client might enforce by default.

so standard extensions as “Key Usage”, “Extended Key Usage”, “Subject Key Identifier” are info on Certificate, and not used in go (syncthing, other code). Or is it ignored in sycthing only.

I expect this error:

sslErrors:
"The host name did not match any of the valid hosts for this certificate"
end sslErrors

The only name verification we do is that the CN should be “syncthing”, unless configured otherwise.

ok, then the communication protocol is different from the standard. in other words the TLS handshake is written by yourself and not a lib. damned :confused:

No. You should really read the link I posted. It explains this.

Ok, I understand the basics of it. but this takes more time, I’m going to figure this out: openssl, go, QT before asking further questions. Thanks in advance.