Implement TLS security protocol including early muxer negotiation #283
Conversation
|
|
ianopolous
force-pushed
the
feat/upstream-tls
branch
from
cacc181 to
a185004
Compare
|
@ianopolous thanks for another contribution 👍 Some questions here:
I'm planning to revisit early muxer handshake concept and probably make a separate PR for introducing it |
|
I think I'm most of the way to removing the need for java 17. I've pushed it to a new branch: https://github.com/Peergos/jvm-libp2p/tree/feat/upstream-tls-java-11 However I can't get gradle to find the new bouncy castle jar (which is in maven central like the rest). Any chance you could have a look @Nashatyrev ? |
Wouldn't that help? Index: versions.gradle
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/versions.gradle b/versions.gradle
--- a/versions.gradle (revision d4eb98c8bd4d6ae86eca228c35682b2da9edf9b7)
+++ b/versions.gradle (date 1685016596704)
@@ -40,6 +40,7 @@
dependencySet(group: "org.bouncycastle", version: "1.70") {
entry 'bcprov-jdk15on'
entry 'bcpkix-jdk15on'
+ entry 'bctls-jdk15on'
}
}
} |
|
Thank you @Nashatyrev. It's building and running in that java11 branch. But I can't get it to work. It just times out getting the Ping controller. Any chance you could have a look? I'm testing using HostTestJava and running Kubo locally (You'll need to change the Peerid in the test if you run it) |
|
Do you mean it doesn't work with TLS security, but works with others? |
|
The test is specifically for TLS (If I switch to Noise it is fine). It is working in this branch on java 17, but not in the java 11 branch with BC. I'm running it locally, along with Kubo. |
|
I think https://github.com/Peergos/jvm-libp2p/tree/feat/upstream-tls-java-11 is quite close. It works fine Java to Java using Ed25519 certs using BouncyCastle. Talking to Kubo (which uses ECDSA over P-256) the TLS handshake completes, but a subsequent protocol select times out. |
|
@ianopolous jvm-libp2p/libp2p/src/test/kotlin/io/libp2p/core/HostTest.kt Lines 138 to 142 in 89ba1c2 Just use addLogger() instead of addHandler()
|
|
Don't worry, I'll use the Kotlin one. |
|
The plot thickens. Running HostTestJava to Kubo works with {Noise + (mplex or yamux)}, but fails with TLS However, if I disable early muxer negotiation, then TLS works! So it's possible we broke early muxer with some of the upstream changes?? EDIT: Nope. It runs fine on this branch. So that likely means there is something wrong with Bouncy Castle ALPN... BINGO! I've got it. It was a bug in Netty's interaction with BC for ALPN. Updating Netty fixes it! |
|
@Nashatyrev Ok. We're now good with Java 11. The use for the EventLoop is a p2p http proxy. It accepts incoming libp2p connections and proxies it to a fixed http endpoint or http handler. We needed access to the eventloop to add the new http handlers when receiving a new connection: https://github.com/Peergos/nabu/blob/master/src/main/java/org/peergos/protocol/http/HttpProtocol.java#L103 |
Todo: * muxer negotiation via client hello info * verify remote certs
Implemented full trust manager TODO: * Muxer negotiation in client hello info * close stream on cipher error
Remove Secio from defaults!! Kubo still drops us during handshake
But default to Ed25519
Mark certificate extension as critical
Don't remove the SetupHandler before adding the TLS handler.
…l in early muxer negotiation
Handle no early negotiated muxer protocol in TLS
ianopolous
force-pushed
the
feat/upstream-tls
branch
from
86c808a to
d3ed41e
Compare
Great news! Thanks!
Sorry, I didn't dive deeply into the usage case above. |
|
@Nashatyrev I've removed the EventLoop stuff from this PR. Are you planning on PRing your early muxer stuff into this branch?
|
ianopolous
force-pushed
the
feat/upstream-tls
branch
from
11f68f4 to
115dbac
Compare
| ApplicationProtocolConfig.Protocol.ALPN, | ||
| ApplicationProtocolConfig.SelectorFailureBehavior.FATAL_ALERT, | ||
| ApplicationProtocolConfig.SelectedListenerFailureBehavior.FATAL_ALERT, | ||
| muxerIds.plus("libp2p") // early muxer negotiation |
There was a problem hiding this comment.
Why do we need adding "libp2p" here?
Just doing some minor refactoring and curious if it would be the same effect if we don't add this value?
There was a problem hiding this comment.
This is for compatibility with clients that do not support early muxer negotiation (they just send "libp2p"). So definitely necessary.
…puxer protocol, pass a list of StreamMuxers to constructor. SecureChannel.Session contains NegotiatedStreamMuxer instance instead of string protocol representation
There was a problem hiding this comment.
Basically LGTM. Just please consider some minor refactor here: Peergos#9
I'm still slightly concerned with SecureChannel.Session.earlyMuxer property. It has a transient nature and is not intended to be exposed in the API. But I'm planning to address it later in a separate PR to not block further upstream work
More type safety for early muxer negotiation
Early muxer negotiation is when the security protocol handshake is used to negotiate the muxer to avoid a round trip. In TLS this is done using ALPN. It is not implemented for Noise here.
This also includes a few small changes:
Part of #272