Skip to content

fix(iroh)!: Update dependencies & fix 0-RTT with newer rustls by pulling the expected NodeId out of the ServerName in verifiers #3290

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 14 commits into from
May 7, 2025
Merged

fix(iroh)!: Update dependencies & fix 0-RTT with newer rustls by pulling the expected NodeId out of the ServerName in verifiers #3290

merged 14 commits into from
May 7, 2025

Conversation

matheus23
Copy link
Member

@matheus23 matheus23 commented May 5, 2025
edited
Loading

Description

This is code that will both update deps like #3288 but also makes 0-RTT tests pass again.

They were failing due to a change in rustls:

Behavior change: Clients no longer offer resumption between different ClientConfigs that share a resumption store but do not share server certificate verification and client authentication credentials. If you share a resumption store between multiple ClientConfigs, please ensure their server certificate verification and client authentication credentials are also shared. Please read the new documentation on the ClientConfig::resumption item for details.

Additionally, if you share a resumption store or ticketer between multiple ServerConfigs, please see the new documentation on ServerConfig about this.

Essentially what they're doing is checking that the certificate verifiers are Arc::prt_eq and depending on that allow or disallow 0-RTT.

When running the tests with rustls logging enabled, I confirmed that this is indeed what's happening:

[TRACE rustls::msgs::persist] resumption not allowed between different ServerCertVerifiers

The fix isn't straight-forward.
The reason we're creating new ServerVerifiers every time is that we're passing in the expected remote node ID every time.

There used to be no other way of grabbing the other node's ID in the verifier, until, coincidentally #3146 landed, which changed the server name that's set when connecting from always being localhost to <base32 NodeId>.iroh.invalid.

I'm now pulling in that value from the ServerName that's passed to the ServerCertificateVerifier in verify_server_cert.
As far as I understand that value should be a client-set value not a value we get over the network.

The downside of doing this is that we'll not be compatible with iroh versions that don't use the <base32 NodeId>.iroh.invalid server names.

There's an unrelated change in here that's changing make_client_config and make_server_config infallible, as was done in #3161, which will definitely also have merge conflicts with this PR.

Breaking Changes

  • Router::spawn is now a plain function instead of an async fn
  • Router::spawn is now infallible, instead of returning anyhow::Result<()>

Change checklist

  • Self-review.
  • Documentation updates following the style guide, if relevant.
  • All breaking changes documented.
    • List all breaking changes in the above "Breaking Changes" section.

@matheus23 matheus23 self-assigned this May 5, 2025
@github-actions GitHub Actions
Copy link

github-actions bot commented May 5, 2025
edited
Loading

Documentation for this PR has been generated and is available at: https://n0-computer.github.io/iroh/pr/3290/docs/iroh/

Last updated: 2025-05-07T11:37:57Z

dignifiedquire
dignifiedquire reviewed May 5, 2025
View reviewed changes
@n0bot n0bot bot added this to iroh May 5, 2025
@github-project-automation github-project-automation bot moved this to 🏗 In progress in iroh May 5, 2025
@Frando
Copy link
Member

Frando commented May 5, 2025
edited
Loading

Cannot connect to iroh nodes of versions 0.32 or below due to changes in how the TLS setup works. (Accepting incoming connections should keep working just fine.)

Deltachat only updated to 0.33 ~2 months ago, so I presume that this change would mean that Deltachat cannot update to 0.35 because this would be a wire-level breaking change towards all Deltachat versions which are older than 2 months. AFAIK deltachat so far intended to update to 0.35 as a last update before iroh 1.0.

@matheus23
Copy link
Member Author

matheus23 commented May 6, 2025
edited
Loading

Yeah honestly, I think this PR should probably not go into this release.

Regressing 0-RTT in this release vs. what is effectively a soft wire-breaking change makes me choose regressing 0-RTT.

This is all incorrect. See the comment below.

@matheus23
Copy link
Member Author

Actually @flub correctly pointed out: It's not actually a wire-breaking change! As I write in the PR review comment, the server_name that's checked isn't the one that's set from the remote node, it's the server name that we set. Thus, there's no breaking change concerns.

This is easy enough to test, so I pulled out the echo.rs example at tag v0.32.0 and this branch's echo.rs example, and let them connect to each other via a small modification so I could enter a NodeTicket, and yeah, it works.

I didn't test 0-RTT, since (1) the changes in this PR are actually only tangentially relevant to 0-RTT and are more changes to how we configure rustls' client authentication/server authentication, and (2) because version 0.32 didn't have 0-RTT support.

@matheus23
Make StaticConfig::tls_config private
b7aad71 
It was set to `pub(crate)` needlessly.
dignifiedquire
dignifiedquire reviewed May 6, 2025
View reviewed changes
dignifiedquire
dignifiedquire reviewed May 6, 2025
View reviewed changes
@matheus23 matheus23 requested a review from dignifiedquire May 7, 2025 09:20
@github-actions GitHub Actions
Copy link

github-actions bot commented May 7, 2025
edited
Loading

Netsim report & logs for this PR have been generated and is available at: LOGS
This report will remain available for 3 days.

Last updated for commit: 6d2e4c6

@matheus23 matheus23 changed the base branch from rtt-sad to main May 7, 2025 11:23
@matheus23 matheus23 changed the title fix(iroh): Pull the expected NodeId out of the ServerName in verifiers fix(iroh): Update dependencies & fix 0-RTT with newer rustls by pulling the expected NodeId out of the ServerName in verifiers May 7, 2025
@matheus23 matheus23 mentioned this pull request May 7, 2025
Closed
@matheus23
Copy link
Member Author

Not updating redb as that'd be MSRV breaking

@matheus23 matheus23 added this to the 0.35.0 milestone May 7, 2025
@dignifiedquire dignifiedquire changed the title fix(iroh): Update dependencies & fix 0-RTT with newer rustls by pulling the expected NodeId out of the ServerName in verifiers fix(iroh)!: Update dependencies & fix 0-RTT with newer rustls by pulling the expected NodeId out of the ServerName in verifiers May 7, 2025
@dignifiedquire dignifiedquire added this pull request to the merge queue May 7, 2025
Merged via the queue into main with commit af882a6 May 7, 2025
30 checks passed
@github-project-automation github-project-automation bot moved this from 🏗 In progress to ✅ Done in iroh May 7, 2025
@matheus23 matheus23 deleted the matheus23/rtt-happy branch May 8, 2025 09:20
@matheus23 matheus23 mentioned this pull request May 12, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dignifiedquire dignifiedquire dignifiedquire approved these changes

Assignees

@matheus23 matheus23

Labels
None yet
Projects
iroh
Status: ✅ Done
Milestone
0.35.0
Development

Successfully merging this pull request may close these issues.
3 participants
@matheus23 @Frando @dignifiedquire