TLS

[leto]

Describe the issue

Hush only supports HTTP and therefore connecting to an RPC backend is only "safe" over localhost, otherwise it would leak lots of metadata and rpc user/pass. Hush should support TLS like Bitcoin and other coins like Zen. Encrypted p2p connections will additionally greatly reduce network metadata available to snoopy people.

Bounty

TBD

Can you reliably reproduce the issue?

Yup

If so, please list the steps to reproduce below:

1. Observe
2. No
3. TLS

Expected behaviour

Support TLS connections,

Actual behaviour + errors

No TLS

The version of Hush you were using:

All

Prior Art

See ZEN's TLS_integration branch: https://github.com/zencashio/zen/compare/master...ZencashOfficial:TLS_integration?expand=1
and the corresponding issue: HorizenOfficial/zen#26

[radix42]

if anyone is going to work this bounty, please contact me first to discuss issues with it

[kentsommer]

Is anyone currently working on this?

[oDinZu]

@kentsommer I have spent a lot of time on this, but I am still learning. If I am in the right direction, you can build on or checkout what I did so far here: https://github.com/csharpee/hush/tree/hush-tls

At the moment, the build is not successful and has header.h files needing to be added or updated --I am still not sure. I read through 124 commits and added only tls & openssl related things into the hush codebase from ZcashOfficial TLS_Integration help shared here by @leto

This is the error I am getting after building:

In file included from main.h:18:0,
from sendalert.cpp:42:
net.h:156:8: error: ‘SSL_CTX’ does not name a type
extern SSL_CTX *tls_ctx_server;
^
net.h:157:8: error: ‘SSL_CTX’ does not name a type
extern SSL_CTX *tls_ctx_client;
^
net.h:331:114: error: ‘SSL’ has not been declared
CNode(SOCKET hSocketIn, const CAddress &addrIn, const std::string &addrNameIn = "", bool fInboundIn = false, SSL *sslIn = NULL);

[kentsommer]

@radix42 @csharpee @leto

I have a secure (TLS enabled node) up and running on hush. Guide for setup and various other documentation is needed but... progress. You were on the right track @csharpee!

[oDinZu]

Nice, good work @kentsommer -- you make this look easy =).

I didn't want to just copy everything over so I setup a C++ IDE and started reading through the code to make sense of it. I went through each commit and possibly missed something. I started to think maybe zcash disabled this for its earlier version and begun looking through the depends/packages/openssl.mk file to make sure we weren't using old SSL and also made sure we can use Diffie-Hellman key exchanges for our nodes. Everything looked good to my knowledge.

I need to go back through the code and see what I did wrong. I do know, I did not setup the CA or TLS for my node to work for I was unable to build. I think its a simple fix, just clueless at the moment. I will dive into more tomorrow after class if I can.

Some concerns at the moment are if we want to allow nodes to connect to other nodes without TLS. The setup as is now is setup to allow both non-TLS and TLS nodes. I did not disable public nodes for not sure what Hush wanted.

-Should TLS only be allowed or at least (recommended)?
-If hush wants to connect to TLS only nodes, we need an option to do so.
-Should we allow TLS 1.1 for aid in old browsers?

Some testing I want to do:
-Does OCSP Stapling cause any concerns with hush node?
-Does HPKP Protection cause any issues with the hush node?
-Will we be able to use TLS Encrypt CA for our ACME certbot protection with he hush node?
-Tor Integration + TLS have any issues?

[kentsommer]

@csharpee

Hopefully I haven't stepped on any toes, just trying to get hush pushed forward 👍

Yes, I agree, allowing the choice to connect to TLS only would be a good thing to add.

Notes for you (@csharpee):

1. SSL ca certs are not required until the actual "runtime" of the node so building is not at all tied with them (re-reading your post I think you already knew this so ignore ).

2. Looks like you are just missing a few auto-tools settings and includes:

   • Some features need to be enabled in: depends/packages/openssl.mk
   • Missing tlskeypath and tlscertpath code blocks in: src/init.cpp
   • Missing #include <openssl/bio.h> and #include <openssl/ssl.h> in: src/net.h
   • Missing SSL *ssl; var definition in: src/net.h

[oDinZu]

No not at all man, I am still learning and am happy to help. You are being more than respectful, I am with you - getting hush pushed forward 👍

[kentsommer]

The secure node system in hush might also require something similar to the secure node tracking in zencash (outline is on page 10 and 11 of their whitepaper).

Not sure what it would look like, but making that system decentralized seems like a good move.

@radix42 Any thoughts on system architecture / do we require this?

[oDinZu]

@kentsommer thanks for the tips man. I got the build working. I don't have a CA setup yet though on testing user account.
@radix42 I am leaving this alone until more direction.

Thank you for running a HUSH node!
You're helping to secure everyone's privacy


In order to ensure you are adequately protecting your privacy when using Hush,
please see <https://github.com/MyHush/hush/blob/master/doc/security.md>.

           Block height | 16865
            Connections | 3
            Secure connections | 3 (TLS: 0)
  Network solution rate | 1 Sol/s
    Local solution rate | 0.4907 Sol/s

You are mining with the tromp solver on 1 threads.

Since starting this node 3 minutes, 40 seconds ago:
- You have validated no transactions.
- You have completed 56 Equihash solver runs.

[Press Ctrl+C to exit] [Set 'showmetrics=0' to hide]

$ ./src/hush-cli getmininginfo
{
  "blocks": 16861,
  "currentblocksize": 1000,
  "currentblocktx": 0,
  "difficulty": 7.297981625835189,
  "errors": "",
  "genproclimit": 1,
  "localsolps": 0.3636363636363636,
  "networksolps": 1,
  "networkhashps": 1,
  "pooledtx": 0,
  "testnet": true,
  "chain": "test",
  "generate": true
}

$ ./src/hush-cli getnetworkinfo
{
  "version": 1001250,
  "subversion": "/BalefulStatic:1.0.12/",
  "protocolversion": 170002,
  "localservices": "0000000000000001",
  "timeoffset": 0,
  "connections": 3,
  "tls_cert_verified": false,
  "networks": [
    {
      "name": "ipv4",
      "limited": false,
      "reachable": true,
      "proxy": "",
      "proxy_randomize_credentials": false
    },
    {
      "name": "ipv6",
      "limited": false,
      "reachable": true,
      "proxy": "",
      "proxy_randomize_credentials": false
    },
    {
      "name": "onion",
      "limited": true,
      "reachable": false,
      "proxy": "",
      "proxy_randomize_credentials": false
    }
  ],
  "relayfee": 0.00000100,
  "localaddresses": [
  ],
  "warnings": ""
}

[matthewjamesr]

@kentsommer could you join us in our Discord sometime? @radix42 and I would like to group chat you one night.

[kentsommer]

@matthewjamesr

I'm in the KST (Korean Standard) time zone, but if you had a time in mind (evening or morning my time would be best - busy during the day) I am happy to chat for a bit.

[matthewjamesr]

Heads up I will be in Korea around mid Feb, for three years. Sounds like a plan I will chat with @radix42 about a time.

[WaveringAna]

Not sure what it would look like, but making that system decentralized seems like a good move. that's the plan actually once we set up the dao with zen. It can be setup as a layer 2 thing, nodes verify other nodes and check they follow a strict protocol, append it to a list for other nodes to verify and check, the only tricky part is how do we do payments while keeping it anonymous and decentralized

[kentsommer]

@aayanl Payments as in rewards to those running the secure nodes?

[WaveringAna]

Yes

…

On Nov 8, 2017 2:05 AM, "Kent Sommer" ***@***.***> wrote: @aayanl <https://github.com/aayanl> Payments as in rewards to those running the secure nodes? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#63 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AJmmkdZcH0ycvdpDRN9uoaZ2p4v_zI3xks5s0VK8gaJpZM4QMYMV> .

[kentsommer]

I've confirmed the ability to make TLS connections on the hush testnet:

I will work on documentation for setup over the next few days in my free time.

[kiloutyg]

I can't wait for those doc to contribute to the testing !

[matthewjamesr]

Re: managing TLS nodes

I think we can simply manage this by inserting a new config glad secureonly=0, or another sensible flag name.

0: False
1: True

We can maintain a second DNS seed for TLS nodes. Thoughts @radix42 @kentsommer @madbuda ?

[kentsommer]

@matthewjamesr

That sounds reasonable to me if we stick with TLS as the peer-to-peer encryption scheme. However, I'm not super set that TLS is the way to go for this security enhancement. I've been looking at the solution proposed in BIP 151 as well.

I floated the idea by @radix42 recently but I think we should get everyone's opinion.

[matthewjamesr]

I'll give it a read. I am ok with whatever the group reaches consenses with.

[lludlow]

👍 on BIP 151

[matthewjamesr]

@kentsommer I concur and am ok with BIP 151.

[matthewjamesr]

After discussion between myself, @radix42, and @kentsommer, we have decided to PR the TLS branch. BIP 151 might be implemented on a future date/time.

[WaveringAna]

👍 the ca stuff is only unique to zen securenodes, glad to see more coins implementing encrypted network stacks 😃

[kentsommer]

This is closed out by #68