feat(iroh)!: switch TLS authentication to raw public keys #2937
Conversation
|
Documentation for this PR has been generated and is available at: https://n0-computer.github.io/iroh/pr/2937/docs/iroh/ Last updated: 2025-03-14T13:04:06Z |
|
For a hot minute I was imagining a feature on rustls to disable all non-RPK paths, imagining that we could get rid of ASN.1/DER parsing code. |
iroh-net/src/tls/resolver.rs
Outdated
| use crate::tls::Authentication; | ||
|
|
||
| #[derive(Debug)] | ||
| pub(crate) struct AlwaysResolvesCert { |
There was a problem hiding this comment.
Kind of annoying that rustls has all the implementations for ResolvesClientCert and ResolvesServerCert that we need, but they're not all exposed.
There's
AlwaysResolvesClientCertAlwaysResolvesServerCertAlwaysResolvesClientRawPublicKeyCertAlwaysResolvesServerRawPublicKeyCert
I'd rather not have to implement a trait outside the crate where it's defined, but eh.
Also it's super annoying that they split it up into client/server like that.
|
Going to wait with pushing this forward until we know if rustls/rustls#2258 might happen |
dignifiedquire
force-pushed
the
feat-raw-public-key
branch
from
ed3d590 to
e44d964
Compare
dignifiedquire
force-pushed
the
feat-raw-public-key
branch
from
9b7bb71 to
dfe0885
Compare
dignifiedquire
force-pushed
the
feat-raw-public-key
branch
from
d21dffb to
5d89fe3
Compare
looks like this is not happening, or at least not soon, so moving forward with this |
dignifiedquire
changed the title
|
|
||
| #[tokio::test] | ||
| #[traced_test] | ||
| async fn test_two_devices_roundtrip_quinn_rebinding_conn() -> Result<()> { |
There was a problem hiding this comment.
Hm. Are we sure we want to delete these tests?
I see it's weird to see a test that tests "quinn", but I think what this is actually doing is testing UdpConn (without depending on iroh being correct).
Instead of deleting these, perhaps they should be renamed & moved to udp_conn.rs?
iroh/src/tls.rs
Outdated
| /// Error for generating iroh p2p TLS configs. | ||
| /// TLS Authentication mechanism | ||
| #[derive(Default, Debug, Copy, Clone, PartialEq, Eq)] | ||
| pub enum Authentication { |
There was a problem hiding this comment.
I personally find it a little confusing if we have mod tls; in lib.rs, but then use pub enum etc. here.
Can we make it pub(crate) enum (and also the same with pub mod certificate etc.)?
There was a problem hiding this comment.
cleaned this up
There was a problem hiding this comment.
This enum also should be pub(crate) should it not?
dignifiedquire
force-pushed
the
feat-raw-public-key
branch
from
98ad8d5 to
bb49ae7
Compare
dignifiedquire
force-pushed
the
feat-raw-public-key
branch
from
40423a3 to
4f5e787
Compare
There was a problem hiding this comment.
I'm happy with the changes, and I'd be down for this to get merged.
But I do wonder why you've removed 4 tests? Do you think they're not useful anymore? The tests are:
magicsock::test_two_devices_roundtrip_quinn_rawmagicsock::test_two_devices_roundtrip_quinn_rebinding_connmagicsock::udp_conn::test_rebinding_conn_send_recv_ipv4magicsock::udp_conn::test_rebinding_conn_send_recv_ipv6
I guess they're related to this PR because they use tls::make_client_config and tls::make_server_config. Was there some problem in getting them to work?
| /// | ||
| /// For details see the libp2p spec at <https://github.com/libp2p/specs/blob/master/tls/tls.md> | ||
| /// | ||
| /// This is the only mechanism available in `iroh@0.33.0` and earlier. |
There was a problem hiding this comment.
We should also add that this method will be removed at some time in the future? Like to make it really clear that you should only use this to transition, but don't just use it and forget about it.
iroh/src/tls.rs
Outdated
| /// Error for generating iroh p2p TLS configs. | ||
| /// TLS Authentication mechanism | ||
| #[derive(Default, Debug, Copy, Clone, PartialEq, Eq)] | ||
| pub enum Authentication { |
There was a problem hiding this comment.
This enum also should be pub(crate) should it not?
They were pretty painful to update, and I am not convinced of their usefulness tbh, as they don't really test much of our code anymore. But happy to hear other arguments |
Yes |
My understanding is that as long as we don't have encrypted client hello, this is observable during the handshake |
Yeah I was about to write that.
|
dignifiedquire
force-pushed
the
feat-raw-public-key
branch
from
03fac9c to
ae45558
Compare
|
I have moved the test discussion into an issue, to not block merging this #3229 |
This is step 1 to land #2798
this was only used in tests, and those only tested quinn isolation things, which have been removed
Co-authored-by: Philipp Krüger <philipp.krueger1@gmail.com>
dignifiedquire
force-pushed
the
feat-raw-public-key
branch
from
a5e653a to
6bdbbf0
Compare
dignifiedquire
changed the title
## Description This introduces the configuration of the TLS authentication method, allowing to enable the usage of raw public keys, which will lead to us being able to remove the hack of using self signed certificates. ## Breaking Changes By default iroh endpoints will now use the new `RawPublicKey` TLS configuration. This means they will not be able to talk to older iroh nodes. If needed, the old mechanism can still be used by configuring the endpoint like this ```rust let endpoint = Endpoint::builder() .tls_x509() // <--- this enables the old style TLS authentication // ... .bind(); ``` Closes #2798 ## Change checklist - [x] Self-review. - [x] Documentation updates following the [style guide](https://rust-lang.github.io/rfcs/1574-more-api-documentation-conventions.html#appendix-a-full-conventions-text), if relevant. - [x] Tests if relevant. - [x] All breaking changes documented. --------- Co-authored-by: Philipp Krüger <philipp.krueger1@gmail.com>
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
Description
This introduces the configuration of the TLS authentication method, allowing to enable the usage of raw public keys, which will lead to us being able to remove the hack of using self signed certificates.
Breaking Changes
By default iroh endpoints will now use the new
RawPublicKeyTLS configuration. This means they will not be able to talk to older iroh nodes. If needed, the old mechanism can still be used by configuring the endpoint like thisCloses #2798
Change checklist