Opened 5 years ago

Closed 4 years ago

#11457 closed defect (implemented)

Making a signing cert in the future will make everybody discard your real signing cert and then want it again

Reported by: arma Owned by:
Priority: High Milestone: Tor: 0.2.6.x-final
Component: Core Tor/Tor Version:
Severity: Keywords: 026-triaged-1, nickm-patch, andrea-review
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Run an authority, with a normal signing authority_certificate. Then move your date into the future (has to be more than one week in the future), and generate and use another signing cert. Relays, clients, and other directory authorities will smoothly upgrade to your new one, and (barring issues like #11454) throw out your old signing cert.

Then throw out your shiny new one, and go back to the one you had been using. Other Tors (dir auths, relays, clients) will say "oh hey, a signature from a cert I don't recognize, let me fetch that". So far so good.

Then 60 seconds later they'll discard this cert, because they know a newer one. Oops.

But this is where is gets good. Your authority discards this older cert too. So do other authorities. And relays.

And then everybody wants a copy and nobody has one, so every 60 seconds everybody asks the next layer up in the dir hierarchy. Everybody's logs are filled with

Apr 09 03:44:55.000 [warn] Received http status code 404 ("Not found") from server '127.0.0.1:3002' while fetching "/tor/keys/fp-sk/AD23D263206B997C73AF9B488322E91766748C2C-4335577168B0C0C22AC4A1A0707DD72F41CC8DA6".

each minute.

Child Tickets

Change History (10)

comment:1 Changed 5 years ago by arma

Some fixes that come to mind include:

A) If you're a directory authority, and you're about to discard your own signing cert that's in keys/authority_certificate, don't.

B) If you're about to discard a signing cert that signed a consensus or vote you're holding, don't.

comment:2 Changed 5 years ago by arma

The short-term fix of course is "then don't do that". That's why I put this bug in 0.2.6. This fix works fine until somebody disobeys the rule.

comment:3 Changed 5 years ago by nickm

Priority: normalmajor

comment:4 Changed 5 years ago by andrea

Keywords: 026-triaged-1 added

comment:5 Changed 5 years ago by nickm

Status: newneeds_review

See branch "bug11454_11457" for a rewrite of the cert expiration code.

comment:6 Changed 5 years ago by nickm

Keywords: nickm-patch added

Add the nickm-patch keyword to a bunch of needs_review tickets.

comment:7 Changed 4 years ago by nickm

Keywords: andrea-review added

comment:8 Changed 4 years ago by andrea

This branch looks good to merge, as I remarked on #11454.

comment:9 Changed 4 years ago by nickm

Okay, will target for 0.2.6.4-??? or 0.2.7.1-alpha, since 0.2.6.3-alpha comes out today.

comment:10 Changed 4 years ago by nickm

Resolution: implemented
Status: needs_reviewclosed

Merged to master. woooo

Note: See TracTickets for help on using tickets.