Key.pem , Cipher and Hashing Alternatives for Syncthing?

Given an advanced user could replace the key.pem and cert.pem files with a keypair generated directly by the openssl utility or other mechanism, is it possible to use a p12 (private key) or must it be required in the pem format only?

Does it matter if the pem includes a CN other than Syncthing?

Are there any other restrictions or syntax required when using a digital ID (certificate)?

Is there an easy CMD or GUI method to change the 3072 bit RSA key for a larger one? How large is allowed?

Can an alternative cipher be used as well? Such as curve25519? Can an alternative hash be used like SHA3?

An in-depth manual on Syncthing would be most welcome for customization here.

So it expects files ending with pem: https://github.com/syncthing/syncthing/blob/master/cmd/syncthing/tls.go#L41

The stdlib says: The files must contain PEM encoded data.

You can use a custom common name, but then you have to explicitly specify the custom common name in the config of the other peer which it should expect when you connect to it.

For restrictions and syntax, I think it just has to be a standard key file, certificate file having CERTIFICATE header and key file having RSA PRIVATE KEY header like shown in the code above.

3072 bits is the compiled in default, you can generate a larger key pair yourself and replace the existing the certificates.

The list of ciphers is listed here:

I think we are limited to what Go provides in this case.

1 Like

Thank you Audrius Butkevicius for the information. :frog: