[Feature] Advanced TLS options

[ElDavoo]

It would be nice for Syncplay to support advanced/insecure TLS options for advanced/risky users. For example:

1. The ability to turn off certificate validation, in order to support self-signed certificates
2. The ability to use a custom CA file (since that should be easy to do)
3. The ability to enforce a minimum TLS version

Etc etc...

[Et0h]

Thanks for sharing your suggestion.

Adding to the complexity of Syncplay generally goes against our principles set out at #315 for just such reasons. It is not our goal to support every possible use case, just all the most common use cases. We also place a high degree of value in backwards and forwards compatibility and cross platform/player compatibility.

I wasn't the main person to do the TLS code but my understanding is that it took a lot of work, especially given the large number of platforms we support. I don't really want us to have to manage even more complexity as that can make bugs more likely and make maintenance more difficult. Adding new TLS options could also increases the support burden and can create compatibility issues between different Syncplay clients which creates even more support issues (especially as it probably won't just be experienced users who try to use the feature or connect to a server which does).

I'll leave this discussion open for a while in case any of the other core Syncplay developers have anything to say, but my assumption is that there is no appetite for tinkering with the TLS code to add new advanced features.

[daniel-123]

@ElDavoo to expand a bit on what Et0h said with regards to specific details:

1. Turning off certificate validation defeats large part of reasons why you'd want to use them in first place. Especially given how it's very easy to get free certificates as Let's Encrypt works just fine with free subdomains offered by various providers. There are only a handful of reasons to use self-signed certificates in 2022 and I don't see how they would apply to Syncplay.

2. As far as support for custom CAs goes - anybody who is knowledgable enough about TLS to understand what custom CA is can use it already by adding it to certifi trust store. And there are even fewer reasons to use them than self-signed certificates.

3. There is largely no point in allowing end users control over minimum TLS version as Syncplay already uses TLS 1.3 and the fallback for TLS 1.2 is very limited in scope - which is much stricter than defaults of any web browser for example. List of ciphers Syncplay allows in connection downgraded to TLS 1.2 is the same as 1.3 mandates. That said back when TLS was implemented for Syncplay, 1.2 was already expected to be used rarely and nowadays support for 1.2 could almost certainly be outright dropped silently.

All things considered security is a very delicate subject and we would strongly prefer to keep our implementation to be as simple and streamlined as possible. Things that possibly could be on the table, but without any specific priorities attached to them would be:

• Dropping TLS 1.2 support. Completely reasonable step, but we don't see much of a reason to rush it given "good enough" state of TLS 1.2 right now.
• A strict TLS-only mode of some sort. Though we haven't found a good way to implement it given the expectation that people who host Syncplay servers don't necessarily want or need to bother with TLS. And if it doesn't default to "on", then it's largely useless to vast majority of users.