Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificate expiry #5594

Open
julienmalard opened this issue Sep 9, 2024 · 3 comments
Open

Certificate expiry #5594

julienmalard opened this issue Sep 9, 2024 · 3 comments

Comments

@julienmalard
Copy link

Summary

As self-signed WebRTC certificates expire after 30 days, the rust peer should generate a new certificate once the old one has expired.

Expected behavior

The rust peer should, when loading an expired certificate, automatically detect that it is no longer valid and instead generate and advertise (and locally save) a new certificate.

Actual behavior

The peer seems to keep using and advertising the expired certificate in the peer address, which leads to unsuccessful connection attempts by other peers that rely on WebRTC.

Relevant log output

No response

Possible Solution

I was unable to find a programmatic way of detecting the certificate's expiry date in rust-libp2p. If this could be done, then regenerating and saving a new certificate should be trivial.

Version

No response

Would you like to work on fixing this bug ?

Yes
@dariusc93
Copy link
Member

Hey! Thanks for the report. Depending on the use-case, it might be more ideal to set a fix expiration date that is far into the future. Ie, 50 years or more from the time of creation. Right now though, the certificate in webrtc is generate at random unless you provide your own you wont be able to change the expiration date without modifying the code

rust-libp2p/transports/webrtc/src/tokio/certificate.rs

Lines 36 to 47 in 3837e33

pub fn generate<R>(_rng: &mut R) -> Result<Self, Error>
where
R: CryptoRng + Rng,
{
let mut params = rcgen::CertificateParams::new(vec![
rand::distributions::Alphanumeric.sample_string(&mut rand::thread_rng(), 16)
]);
params.alg = &rcgen::PKCS_ECDSA_P256_SHA256;
Ok(Self {
inner: RTCCertificate::from_params(params).expect("default params to work"),
})
}

@julienmalard
Copy link
Author

Hello,

Would browsers accept such a far-away expiration date? In any case, is there a way of reading the actual expiry date from the certificate in rust? If this is possible, then even a short certificate validity would work, since we could regenerate the certificate when it expires.

@dariusc93
Copy link
Member

Hello,

Would browsers accept such a far-away expiration date?

I would not see why they wouldnt given webrtc certificates are self-signed.

In any case, is there a way of reading the actual expiry date from the certificate in rust? If this is possible, then even a short certificate validity would work, since we could regenerate the certificate when it expires.

It is possible by parsing the PEM and extract it manually. The other way is to use rcgen to parse the PEM and use the struct it returns to access the expiration date.

Maybe in the future, if applicable, we could have some type of checks or maybe an event emitted from the transport to alert about the expiration of the certificate and could attempt to regenerate it with a new expiration date. Of course the connections would need to be reestablished unless webrtc has a way to share the new certificate without dropping and reestablishing the connection.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dariusc93 @julienmalard