Skip to content

v0.41.3

v0.41.3: release 0.41.3: strip trailing FQDN dots from default relay URLs
@somethingelseentirely somethingelseentirely tagged this 17 May 10:02 
The reason iroh probes get 503'd from Anthropic's web sandbox
(and likely from any environment fronted by a strict WAF).

iroh's `iroh::defaults::prod::default_relay_map()` ships hostnames
in FQDN-absolute form, e.g.
`"euc1-1.relay.n0.iroh-canary.iroh.link."` — note the trailing
dot. When iroh builds an HTTPS probe URL, the dot propagates
into reqwest's HTTP `Host` header on the wire. WAFs that treat
trailing-dot Host as a known bypass-attempt signature (it's a
real virtual-host-routing exploitation pattern) reject those
requests with synthetic 503s. iroh's `net_report` cycle stays
permanently stuck on those 503s, and its connect path doesn't
fall through to direct-dial even when an EndpointTicket
supplied via `--peers` carries explicit addresses.

triblespace-net 0.41.3 transforms iroh's prod default relay
map at endpoint-build time via `dot_stripped_default_relay_map()`,
stripping the trailing dot from each relay hostname before
iroh constructs the `RelayUrl`. Passed via
`RelayMode::Custom(map)` to override the preset's
`RelayMode::Default`. Same upstream relays (DNS resolution
doesn't care about absolute/relative-form distinction);
HTTP-canonical Host header on the wire.

Diagnosed in the web sandbox by a parallel Claude instance via
a beautiful narrowing experiment: ruled out User-Agent
(`reqwest/0.12.x` works), TLS fingerprint (vanilla
rustls+reqwest+native-roots succeeds 20/20 in the same second
iroh's own probes get 12/12 503'd), burst rate, HTTP version,
and headers. Smoking gun: iroh's log showed the URL with
`...iroh.link./ping` (dot before slash). Curl with explicit
trailing dot in URL or Host header 503s; without it, 200.

Out of scope for this patch: filing upstream at iroh to
normalize trailing dots in `RelayUrl::parse` or the
hostname constants themselves. That's the proper fix; this
is the triblespace-side workaround until it lands.

All 8 workspace crates bumped 0.41.2 → 0.41.3. Source change
in `triblespace-net` only (the helper function + the
endpoint builder wire-up). Verified locally: listener still
connects to euc1-1 cleanly, ticket prints, no regressions in
the 17 lib + integration test suite. Adds `url = "2"` as a
direct dep of triblespace-net for the host-rewrite transform.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Assets 2
Loading