[tor-bugs] #18655 [meek]: Make meek-server easy to use with Let's Encrypt

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Apr 10 06:45:01 UTC 2016 

#18655: Make meek-server easy to use with Let's Encrypt
-------------------------+---------------------
 Reporter:  dcf          |          Owner:  dcf
     Type:  enhancement  |         Status:  new
 Priority:  Medium       |      Milestone:
Component:  meek         |        Version:
 Severity:  Normal       |     Resolution:
 Keywords:               |  Actual Points:
Parent ID:               |         Points:
 Reviewer:               |        Sponsor:
-------------------------+---------------------

Comment (by yawning):

 Replying to [comment:5 dcf]:
 > Replying to [comment:4 yawning]:
 > > I stand corrected, as long as you use Go 1.6 or later, reloading the
 cert is trivial (See `tls.Config.GetCertificate`).  dcf, is "you must
 build with Go 1.6 or later" a reasonable requirement for `meek-server`?
 >
 > Good idea. Requiring Go 1.6 is fine.

 https://git.schwanenlied.me/yawning/meek/commit/b749b5846115d10ba5cc409f5f150362bb4dae57

 Untested, should work, if there's something wrong it should be trivial.
 Behavior is:

  * If the cert/key fail to `stat()` or load when creating the listener,
 fail hard.
  * On each incoming connection, if the mtime of '''either''' the cert or
 key has changed, reload the certificate, otherwise use the cached cert.
  * Once the listener is created, failures to `stat()` or reload the
 certificate result in an error message logged at most once every 60s, and
 the existing cached certificate to be used.

 Note that `stat()`-ing 2 files every incoming connection may be a tad
 expensive (though that's outside the mutex).  Performance can be improved
 by only reloading once in a while (`gettimeofday()` is vDSO-ed on sensible
 systems), and by using a `RWLock` instead of a `Mutex`.  Both to me are
 pre-mature optimizations since TLS handshake crypto blows both 2 syscalls
 and slight lock contention out of the water overhead wise.

 I think the other half of this is easiest to implement via an `--acme-
 webroot` that lets meek-server serve files over port 80 like you mentioned
 in your tor-dev@ e-mail.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18655#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list