Tweak certificate of membership revision/time tolerance to eliminate boundary packet loss issues occasionally seen in the wild.

controller/SqliteNetworkController.cpp

@@ -2034,7 +2034,7 @@ NetworkController::ResultCode SqliteNetworkController::_doNetworkConfigRequest(c
 		}
 
 		if (network.isPrivate) {
-			CertificateOfMembership com(now,ZT_NETWORK_AUTOCONF_DELAY + (ZT_NETWORK_AUTOCONF_DELAY / 2),nwid,identity.address());
+			CertificateOfMembership com(now,ZT_NETWORK_COM_DEFAULT_REVISION_MAX_DELTA,nwid,identity.address());
 			if (com.sign(signingId)) // basically can't fail unless our identity is invalid
 				netconf[ZT_NETWORKCONFIG_DICT_KEY_CERTIFICATE_OF_MEMBERSHIP] = com.toString();
 			else {

node/CertificateOfMembership.hpp

@@ -33,6 +33,16 @@
 #include "Identity.hpp"
 #include "Utils.hpp"
 
+/**
+ * Default window of time for certificate agreement
+ *
+ * Right now we use time for 'revision' so this is the maximum time divergence
+ * between two certs for them to agree. It comes out to three minutes, which
+ * gives a lot of margin for error if the controller hiccups or its clock
+ * drifts but causes de-authorized peers to fall off fast enough.
+ */
+#define ZT_NETWORK_COM_DEFAULT_REVISION_MAX_DELTA (ZT_NETWORK_AUTOCONF_DELAY * 3)
+
 namespace ZeroTier {
 
 /**