[tor-bugs] #5595 [Tor]: Some relays tried to refetch maatuska's new certificate repeatedly
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Mar 21 20:41:26 UTC 2013
#5595: Some relays tried to refetch maatuska's new certificate repeatedly
------------------------------------+---------------------------------------
Reporter: rransom | Owner: andrea
Type: defect | Status: assigned
Priority: critical | Milestone: Tor: 0.2.4.x-final
Component: Tor | Version:
Keywords: tor-relay 023-backport | Parent:
Points: | Actualpoints:
------------------------------------+---------------------------------------
Comment(by andrea):
At present, authority_certs_fetch_missing() generates a list of identity
digests of trusted dir servers and signers in the provided consensus; this
is wrong in the case that it encounters a signed object in the consensus
with a certificate other than the newest for that authority, and will
cause it to repeatedly try to download the newest certificate for that
authority, emit this warning when it sees it already has that one, and
never get the one it actually needs to stop re-requesting it.
The solution is to modify authority_certs_fetch_missing() to assemble two
lists of missing certificates, one by identity digest for any we don't
have in trusted_dir_servers, and use /tor/keys/fp/<identity-digest>
requests just as the current implementation does, but also assemble a list
of (identity digest, signing key digest) pairs for signing certificates
needed to verify a consensus and launch another request using /tor/keys
/fp-sk/... for those certificates. Since nothing actually uses /tor/keys
/fp-sk at the moment, implementation of this will occur pending
verification that these requests actually work.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5595#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list