I’m in a company network where there is self signed MITM ssl cert. The self signed cert is installed in the Windows’ Secure Channel by the company domain policy. For softwares like Chrome or newer versions of git, they can use the cert from Windows’ Secure Channel and works fine. However for other softwares like java, npm, conda, or older versions of git, I have to export the cert from Chrome and configure the cert for these softwares in order for them to connect to some https sites.
So I wonder do I need to configure anything for syncthing to use the cert?
Also, the company appears to have setup some firewall rules. Currently syncthing is not working well, sometimes it works but sometimes not. I don’t know if it’s the cert issue or firewall issue? I don’t know which firewall rule or which port that causes issues, how to debug?
I also tried setup a strelaysrv with listening at 443, but it seems it’s still not working well
This is logs from another computer with this strelaysrv at 443 setup:
This is what I have to do for older versions of git, otherwise git will not connect to https repositories: https://mattferderer.com/fix-git-self-signed-certificate-in-certificate-chain-on-windows I need to export the cert from Chrome as save it as a file. Then using git config --global http.sslCAInfo C:/Users/Matt/ca-bundle.crt to add it in .gitconfig. (Or I can set it config --global http.sslVerify false to allow git to accept any cert but leave a security risk.) For newer versions of git when installing I can select to use native Windows Secure Channel library and don’t need to do this.
Do you mean syncthing isn’t going to accept any cert like set http.sslVerify to false (this appears not a secure option)? Or it can’t add a cert file and use it like older git? or let it use the Windows Security Channel like the newer git?
Will this feature be considered in future? If not what’s the reason?
BTW, what are the sync connections and relay connections, are the Block Exchange Protocol and Relay Protocol?
I’m not sure what feature you’re looking for, really. Syncthing uses the system trust store for verifying the regular HTTPS connections it does, which is the upgrade check, the usage reporting, and listing available relays. Adding your root certificate there should allow those connections to be MITM inspected, like any other HTTPS. However, connections to other devices and to relays are verified by certificate fingerprint (device ID) and so doesn’t care about any signing infrastructure at all. You can read about the protocols etc on docs.syncthing.net.