hate to be a pain - do we need the certificates for anything other than the GUI? i.e. is it used for the tcp:22000 or anything related to the transport?
Yes - I read the docs - I ask because the GIU is equivalent to the API - this would mean the API might also use the certificate. I want to be sure - as I have a FIPS requirement and I want to drop this out of the requirements (i.e. there are no tls dependencies on the syncthing certificates)
Quoting the part wweich points to:
cert.pem, key.pem
The device’s ECDSA public and private key. These form the basis for the device ID. The key must be kept private.
https-cert.pem, https-key.pem
The certificate and key for HTTPS GUI connections. These may be replaced with a custom certificate for HTTPS as desired.
Two sets of certificates, two purposes. The first, for securing the sync connection (port 22000). The second, for securing the GUI and API (port 8384).
For more information (than you probably wanted) about the device ID and corresponding certificate, see Understanding Device IDs.
As I understand FIPS (which may be completely incorrectly), you want RSA certificates instead of ECDSA. Syncthing doesn’t generate that, so you’d need to generate them outside of Syncthing, or run a custom version that defaults to RSA certificates instead of ECDSA. (One could envision a switch or something to control this.)
Thanks, this is what I suspected - but I needed to be absolutely sure.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.