devchat notes from 31-Jan-2017

Brian Warner warner at lothar.com
Wed Feb 1 01:53:15 UTC 2017 

Notes from tahoe devchat 31-Jan-2017

Attendees: warner, str4d, meejah, daira

We spent the whole time investigating #2861 (an SSL handshake failure
when using I2P on 1.12).

The root cause was found to be txi2p's unusual approach to server
connections, coupled with Twisted's TLS handling.

Most protocols (TCP, Tor) receive inbound connections by listening on a
TCP socket, and then accepting connections (either from the real client,
for TCP, or from the local Tor daemon). I2P is an exception, because the
Tahoe server makes an *outbound* connection to the I2P daemon, then asks
the daemon to use that TCP link for *inbound* I2P connections.

Twisted uses the type of the underlying connection (outbound client, or
inbound server) to decide which kind of TLS handshake it should emit: a
ClientHello, or a ServerHello. TLS requires exactly one side to send a
ClientHello, after which the other side sends the matching ServerHello.
When both sides are using client-like connections, both sides send a
ClientHello, and the TLS negotiation fails.

We're trying to figure out the cleanest way to fix this. It might be to
patch Twisted to add a new argument to the startTLS() call (probably
"side=", so you could explicitly request either client or server, and
ignore the underlying connection type). We'd then make a corresponding
change to Foolscap, wait for the next Twisted release, and bump the
dependencies.

Or it might be easier to change Foolscap's TLS handling, to switch to
TLS in a different way, that would give us more control over the
handshake side it uses (in short, switch from startTLS to direct use of
TLSMemoryBIOProtocol). That wouldn't require any changes to Twisted,
just a new version of Foolscap, but would probably be more work.

Feel free to follow along on
https://tahoe-lafs.org/trac/tahoe-lafs/ticket/2861 for the details.

Other work that's ongoing:

* ramki got tahoe 1.12.1 into Debian (sid) in plenty of time to make the
  Stretch freeze. 1.12.1 is now in "testing", and everything in
  "testing" will be frozen for the Stretch release on 05-Feb. If you use
  debian (sid or testing), please "apt install tahoe-lafs" and make sure
  everything works as expected. We know of two problems right now: I2P
  doesn't work (see above, but it doesn't matter quite so much because
  I2P isn't packaged in debian yet), and "tahoe --version" emits a
  scary-looking but benign warning about dependency versions.

* meejah and dawuud have been working hard at bringing #1382
  (servers-of-happiness, server-selection cleanups) up to date, so
  hopefully we can land it soon

* meejah has also been working on #2237 (cloud-backend), and I think the
  next step will be to incrementally land changes from that branch on
  trunk, then merging from master back into the branch until it shinks
  away into nothing. Basically mining the branch for patches in an order
  that makes review and merging easier to manage.

* there are a couple of other PRs on github that should be landable
  without too much work


We meet online every tuesday morning at 9am pacific. We announce the
Google Hangout URL in the #tahoe-lafs IRC channel shortly beforehand.
Come join us!

cheers,
 -Brian

More information about the tahoe-dev mailing list