Add /wss dialing support #15
Conversation
|
What's missing for this to be merged @lgierth @whyrusleeping |
| var WsFmt = mafmt.And(mafmt.TCP, mafmt.Base(WsProtocol.Code)) | ||
| var WsFmt = mafmt.Or( | ||
| mafmt.And(mafmt.TCP, mafmt.Base(WsProtocol.Code)), | ||
| mafmt.And(mafmt.TCP, mafmt.Base(WssProtocol.Code)), |
There was a problem hiding this comment.
It might be more readable as TCP and (WS or WSS) instead of (TCP and WS) or (TCP and WSS)
|
Status: This needs to be updated for the new websockets library. Also, in case anyone is wondering,
Is not a security problem, it just means one can't actually dial (as far as I can tell). Speaking of which, this will make it possible to talk about wss addresses but I don't see how it will allow us to advertise them (as we still can't listen on wss addresses). |
For the /wss listening part, It'll still require a TLS reverse proxy (nginx et al) in front. If we wanna actually support TLS in go-ipfs itself (we should at some point), we should look into using Caddy as a library. Same applies to the gateway. |
We can advertise pretty much anything we like now (through |
Ah. I thought we only advertised addresses when we succeeded on listening on it.
We should also consider implementing a handshake like the one I described in libp2p/go-libp2p#34 (comment) to avoid double encryption. |
Yeah! It'll be next to impossible to get key/cert information in the browser though, which would be neccessary to verify the communication channel. But let's keep our eyes open -- other impossible things have become possible. |
|
Browsers can probably rely on origins (as much as I hate relying on the CA system when we don't actually need to do so). We just need some way to identify the connection. |
I mean verifying the actual encrypted and signed communication channel -- there's stuff like TLS interception and so. I think it's a bad idea to sacrifice the integrity of the connection for performance gains. |
|
Assuming the CA system hasn't been compromised, the domain of the website you're connecting to should be sufficient. We just need a name that the client can verify. |
|
That's a pretty bold assumption ;) There's regular commercial MitM boxes on the one hand, and CAs run by quasi-state actors on the other. But yes if we somewhat trust the underlying TLS connection, we can verify the remote end either by relying on future APIs in the browser, or by doing a proper secio handshake that we throw away right after. |
Well, yes. But you work with what you have.
Those generally assume you can install certs in the browser. |
ghost
mentioned this pull request
|
@lgierth FYI, this still needs some TLC before it can be merged. And I now agree, let's just not do security at this level; we can consider doing that later (should be fairly easy to do with multistream). |
|
This'll probably need to be redone given the refactor. |
|
Any progress on this? this wont be resolved until the next version of IPFS I take it? |
|
This is something we'd like but isn't a high priority at the moment. However, we'd be happy to take a patch if you can get this working! |
We can't actually do much with it yet because we lack the ability to describe HTTP and TLS/SNI hostnames, but whatever, here goes :)
At least it enables us to understand and announce
/wssmultiaddrs, which is nice for browsers/interop UX.