Provided by: syncthing_1.1.4~ds1-4_amd64 bug


       syncthing-globaldisco - Global Discovery Protocol v3


       A  device should announce itself at startup. It does this by an HTTPS POST to the announce
       server URL. Standard discovery currently requires the path to be “/v2/”, yet this  can  be
       up  to  the discovery server. The POST has a JSON payload listing connection addresses (if

                  addresses: ["tcp://", "tcp://:22202", "relay://"],

       It’s OK for the “addresses” field to be either the  empty  list  ([]),  null,  or  missing
       entirely. An announcement with the field missing or empty is however not useful…

       Any   empty   or   unspecified   IP   addresses   (i.e.   addresses   like   tcp://:22000,
       tcp://, tcp://[::]:22000) are interpreted  as  referring  to  the  source  IP
       address of the announcement.

       The  device  ID  of  the  announcing device is not part of the announcement.  Instead, the
       server requires that the client perform  certificate  authentication.  The  device  ID  is
       deduced from the presented certificate.

       The server response is empty, with code 204 (No Content) on success. If no certificate was
       presented, status 403 (Forbidden) is returned. If the posted data doesn’t conform  to  the
       expected format, 400 (Bad Request) is returned.

       In  successful  responses,  the server may return a Reannounce-After header containing the
       number of seconds after which the client should perform a new announcement.

       In error responses, the server may return a Retry-After header containing  the  number  of
       seconds after which the client should retry.

       Performing  announcements  significantly more often than indicated by the Reannounce-After
       or Retry-After headers may result in the client being throttled. In such cases the  server
       may respond with status code 429 (Too Many Requests).


       Queries  are  performed  as  HTTPS  GET requests to the announce server URL. The requested
       device ID is passed as the query  parameter  “device”,  in  canonical  string  form,  i.e.

       Successful  responses  will have status code 200 (OK) and carry a JSON payload of the same
       format as the announcement above. The response  will  not  contain  empty  or  unspecified

       If the “device” query parameter is missing or malformed, the status code 400 (Bad Request)
       is returned.

       If the device ID is of a valid format but not found in the registry, 404  (Not  Found)  is

       If  the  client  has  exceeded  a  rate  limit,  the server may respond with 429 (Too Many


       Global discovery is spoken over HTTPS and is  protected  against  attackers  in  the  same
       manner  as other HTTPS traffic. However, there are a few Syncthing specific considerations
       on top of  this.  As  mentioned  above,  for  announcements  the  client  must  provide  a
       certificate to prove ownership of the announced device ID.

       In  addition,  Syncthing  has  a mechanism to verify the identity of the discovery server.
       While this would normally be accomplished by using  a  CA  signed  certificate,  Syncthing
       often  runs  in environments with outdated or simply nonexistent root CA bundles. Instead,
       Syncthing can verify the discovery server certificate  fingerprint  using  the  device  ID
       mechanism.  This  is  certificate pinning and conveyed in the Syncthing configuration as a
       synthetic      “id”      parameter      on      the      discovery       server       URL:  The  “id” parameter is not, in fact, sent to the
       discovery server - it’s used by Syncthing itself to know which certificate  to  expect  on
       the server side.

       The  public  discovery  network  uses  this  authentication mechanism instead of CA signed

       The discovery server prints its certificate ID in this manner on startup.


       The Syncthing Authors


       2014-2019, The Syncthing Authors