SSL Certs discovery v4 vs v6

Hi,

during a test of my network (Internet name resolution) I connected to the 6 discovery server:

https://discovery-v4-1.syncthing.net
https://discovery-v4-2.syncthing.net
https://discovery-v4-3.syncthing.net
https://discovery-v6-1.syncthing.net
https://discovery-v6-2.syncthing.net
https://discovery-v6-3.syncthing.net

and found a difference in SSL certs of the discovery servers.

Why v6 are issued to many domains?

I read about multidomain certs, is it the case? Maybe it’s a stupid question but I saw so many domain names… all different from “syncthing”… :slightly_smiling:

Thank you in advance!

The three v4 servers have SSL certs:

discovery-v4-3.syncthing.net uses an invalid security certificate. 
The certificate is not trusted because it is self-signed. 
The certificate is only valid for syncthing 
(Error code: sec_error_unknown_issuer)

The three v6 servers have SSL certs:

discovery-v6-3.syncthing.net uses an invalid security certificate. 
The certificate is only valid for the following names: 
incapsula.com, *.7v11.com, *.aeroplan.com, *.algopay.com, 
*.atlabank.com, *.ballys.com, *.ballysac.com, *.ballyslasvegas.com, 
*.binaring.com, *.caesars.com, *.caesarsac.com, *.caesarsinteractive.com, 
*.caesarspalace.com, *.caesarswindsor.com, *.caixabankassetmanagement.com, 
*.capitalonetcpaclasssettlement.com, *.carrefour-banque.fr, 
*.cbcgroup.co.il, *.chartwellcompass.ca, *.diamondbank.com, 
*.fermainpay.com, *.flamingolasvegas.com, *.gainoption.com,
 *.gcc-broker.com, *.goldcardsettlement.com, *.grandcasinobil
....
.... more ...

This is expected.

This is unexpected, and not what I see:

jb@syno:~ $ curl -vvIk https://discovery-v6-3.syncthing.net/ping
*   Trying 2400:6180:0:d0::d9:d001...
* Connected to discovery-v6-3.syncthing.net (2400:6180:0:d0::d9:d001) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
* Server certificate: syncthing

In either case, Syncthing uses certificate pinning (that’s the long ?id=... strings you see in the config for the discovery servers). So the actual hostname on the certificate and who signed it doesn’t matter, as long as it’s exactly the certificate we expect. They are all self signed.

Numbers one and three use “syncthing” as the certificate CN, number two uses “Acme Co” because I screwed up something when I created it… But it’s nailed into the config and will stay that way for a while. :slight_smile:

1 Like

I love it, sounds like something I would do, then realise 10 minutes after the first release with that certificate went live.

1 Like