I have read the docs regarding how the SHA256 hash of the certificate is used to generate the ID.
Looking at my certificate that Syncthing generated (cert.pem not https-cert.pem), I noticed that it will expire in 20 years.
What happens after? Will this stop my clients from syncing, or does Syncthing not check the expiry date of the certificate?
While 20 years is ways away, I would rather not have to worry about a ticking timebomb breaking my sync and forcing me to reconnect all my devices.
Oh well, 10 years to go . I’m sure a solution can be found by then. I imagine something like having two certificates and telling every peer that connects that you have a new ID. As long as every device can be reached before the certificate expires this should work.
I’m pretty sure that the current code does not validate the certificate expiry date and will work just fine with expired certs.
This may change in the future though. Suitable key algorithms may also change in the future, so I wouldn’t rely on the ID remaining stable forever. Don’t worry about the expiry for now, but “plan for change” anyway.
That’s strange. I’ve checked all my devices, and two of them have certificates that are valid until 2049-12-31T23:59:59.000Z (while the rest are valid for 20 years). Both of them were generated by Syncthing, and especially the first one from 2019 was generated using the official (not self-compiled) binary, as this is the certificate that was generated when I started using Syncthing for the very first time.
Indeed, we had that hardcoded until v1.3.2 sometime in 2019, apparently, then we switched to now + 20 years for the device certificate. This was when we changed to a short(er) lifetime for the HTTPS certs.