-
Notifications
You must be signed in to change notification settings - Fork 961
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Certificate expiry #5594
Comments
Hey! Thanks for the report. Depending on the use-case, it might be more ideal to set a fix expiration date that is far into the future. Ie, 50 years or more from the time of creation. Right now though, the certificate in webrtc is generate at random unless you provide your own you wont be able to change the expiration date without modifying the code rust-libp2p/transports/webrtc/src/tokio/certificate.rs Lines 36 to 47 in 3837e33
|
Hello, Would browsers accept such a far-away expiration date? In any case, is there a way of reading the actual expiry date from the certificate in rust? If this is possible, then even a short certificate validity would work, since we could regenerate the certificate when it expires. |
I would not see why they wouldnt given webrtc certificates are self-signed.
It is possible by parsing the PEM and extract it manually. The other way is to use rcgen to parse the PEM and use the struct it returns to access the expiration date. Maybe in the future, if applicable, we could have some type of checks or maybe an event emitted from the transport to alert about the expiration of the certificate and could attempt to regenerate it with a new expiration date. Of course the connections would need to be reestablished unless webrtc has a way to share the new certificate without dropping and reestablishing the connection. |
Summary
As self-signed WebRTC certificates expire after 30 days, the rust peer should generate a new certificate once the old one has expired.
Expected behavior
The rust peer should, when loading an expired certificate, automatically detect that it is no longer valid and instead generate and advertise (and locally save) a new certificate.
Actual behavior
The peer seems to keep using and advertising the expired certificate in the peer address, which leads to unsuccessful connection attempts by other peers that rely on WebRTC.
Relevant log output
No response
Possible Solution
I was unable to find a programmatic way of detecting the certificate's expiry date in rust-libp2p. If this could be done, then regenerating and saving a new certificate should be trivial.
Version
No response
Would you like to work on fixing this bug ?
Yes
The text was updated successfully, but these errors were encountered: