all: Deprecate TLS 1.2 on sync connections (fixes #7594) (#7598)

This makes us use TLS 1.3+ on sync connections by default. A new option
`insecureAllowOldTLSVersions` exists to allow communication with TLS
1.2-only clients (roughly Syncthing 1.2.2 and older). Even with that
option set you get a slightly simplified setup, with the cipher suite
order fixed instead of auto detected.

1 files changed, 4 insertions, 0 deletions

diff --git a/proto/lib/config/optionsconfiguration.proto b/proto/lib/config/optionsconfiguration.proto
index 07a00a625..1a13305d1 100644
--- a/proto/lib/config/optionsconfiguration.proto
+++ b/proto/lib/config/optionsconfiguration.proto
@@ -67,6 +67,10 @@ message OptionsConfiguration {
     // attempting outgoing connections.
     int32 connection_limit_max = 52;
 
+    // When set, this allows TLS 1.2 on sync connections, where we otherwise
+    // default to TLS 1.3+ only.
+    bool insecure_allow_old_tls_versions = 53 [(ext.goname)= "InsecureAllowOldTLSVersions", (ext.xml) = "insecureAllowOldTLSVersions", (ext.json) = "insecureAllowOldTLSVersions"];
+
     // Legacy deprecated
     bool            upnp_enabled           = 9000 [deprecated = true, (ext.goname) = "DeprecatedUPnPEnabled"];
     int32           upnp_lease_m           = 9001 [deprecated = true, (ext.goname) = "DeprecatedUPnPLeaseM", (ext.xml) = "upnpLeaseMinutes,omitempty"];