What happens when the certificate expires?

gagootron · August 17, 2023, 1:53pm

I have read the docs regarding how the SHA256 hash of the certificate is used to generate the ID. Looking at my certificate that Syncthing generated (cert.pem not https-cert.pem), I noticed that it will expire in 20 years. What happens after? Will this stop my clients from syncing, or does Syncthing not check the expiry date of the certificate?

While 20 years is ways away, I would rather not have to worry about a ticking timebomb breaking my sync and forcing me to reconnect all my devices.

calmh · August 17, 2023, 2:58pm

You will have to generate a new certificate and get a new device ID in 20 years.

acolomb · August 17, 2023, 7:11pm

Unless, of course, the Syncthing developers devise a genius zero-effort upgrade strategy well before Syncthing’s 20th anniversary. And you stay updated with new versions until then.

gagootron · August 17, 2023, 7:34pm

Oh well, 10 years to go . I’m sure a solution can be found by then. I imagine something like having two certificates and telling every peer that connects that you have a new ID. As long as every device can be reached before the certificate expires this should work.

Nummer378 · August 17, 2023, 8:39pm

I’m pretty sure that the current code does not validate the certificate expiry date and will work just fine with expired certs.

This may change in the future though. Suitable key algorithms may also change in the future, so I wouldn’t rely on the ID remaining stable forever. Don’t worry about the expiry for now, but “plan for change” anyway.

tomasz86 · August 17, 2023, 9:22pm

Is the default validity period 30 years? I’ve just checked one of my certificates which was generated in 2019, and it is supposedly valid until 2049. Still a long way to go .

calmh · August 18, 2023, 11:02am

No, 20 years. You might have generated that yourself perhaps?

That certainly appears to be the case.

tomasz86 · August 18, 2023, 11:29am

That’s strange. I’ve checked all my devices, and two of them have certificates that are valid until 2049-12-31T23:59:59.000Z (while the rest are valid for 20 years). Both of them were generated by Syncthing, and especially the first one from 2019 was generated using the official (not self-compiled) binary, as this is the certificate that was generated when I started using Syncthing for the very first time.

calmh · August 18, 2023, 1:21pm

Indeed, we had that hardcoded until v1.3.2 sometime in 2019, apparently, then we switched to now + 20 years for the device certificate. This was when we changed to a short(er) lifetime for the HTTPS certs.

github.com/syncthing/syncthing

all: Update certificate lifetimes (fixes #6036) (#6078)

committed 06:31PM - 16 Oct 19 UTC

calmh

+119 -24

This adds a certificate lifetime parameter to our certificate generation and ha…rd codes it to twenty years in some uninteresting places. In the main binary there are a couple of constants but it results in twenty years for the device certificate and 820 days for the HTTPS one. 820 is less than the 825 maximum Apple allows nowadays. This also means we must be prepared for certificates to expire, so I add some handling for that and generate a new certificate when needed. For self signed certificates we regenerate a month ahead of time. For other certificates we leave well enough alone.