Absolute paths for TLS cert and key does not work

[sunboshan]

Tendermint version (use tendermint version or git rev-parse --verify HEAD if installed from source):
0.31.5

ABCI app (name for built-in, URL for self-written if it's publicly available):
self-written

Environment:

• OS (e.g. from /etc/os-release): darwin
• Install tools:
• Others:

What happened:
tendermint rpc server tls doesn't work

What you expected to happen:
It shall work

Have you tried the latest version: yes

How to reproduce it (as minimally and precisely as possible):

1. create a self-signed certificate and key
2. put them in config folder and add them into config.toml

tls_cert_file = "cert.pem"
tls_key_file = "key"

3. start tendermint, and try to connect to it

➜ curl -v -k https://127.0.0.1:32767/
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 32767 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):

It should give me Server Hello response, but it gives me nothing and stuck there.

To make sure the self-signed cert and key are good, here's a working example with a local http server with same cert and key:

➜ curl -v -k https://127.0.0.1:9999
* Rebuilt URL to: https://127.0.0.1:9999/
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 9999 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
...

Logs (paste a small part showing an error (< 10 lines) or link a pastebin, gist, etc. containing more of the log file):

Config (you can paste only the changes you've made):

node command runtime flags:

/dump_consensus_state output for consensus bugs

Anything else we need to know:

The tls support was added here: #3469

However it feels like doesn't work, and I cannot find any test related to it.

[melekes]

Can you paste the content of your config.toml here?

[melekes]

I wrote a test for our TLS server: #3703. It passes

[melekes]

Can't reproduce with latest develop.

$ TMHOME=/tmp ./build/tendermint init
$ TMHOME=/tmp ./build/tendermint node --proxy_app=kvstore

$ curl -v -k https://localhost:26657/status
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 26657 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 592 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
*        server certificate verification SKIPPED
*        server certificate status verification SKIPPED
*        common name: server (does not match 'localhost')
*        server certificate expiration date OK
*        server certificate activation date OK
*        certificate public key: RSA
*        certificate version: #3
*        subject: CN=server
*        start date: Sun, 02 Jun 2019 11:02:07 GMT
*        expire date: Wed, 02 Dec 2020 11:02:04 GMT
*        issuer: CN=tendermint.com
*        compression: NULL
* ALPN, server accepted to use http/1.1
> GET /status HTTP/1.1
> Host: localhost:26657
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: application/json
< X-Server-Time: 1559474437
< Date: Sun, 02 Jun 2019 11:20:37 GMT
< Content-Length: 1054
<
{
  "jsonrpc": "2.0",
  "id": "",
  "result": {
    "node_info": {
      "protocol_version": {
        "p2p": "7",
        "block": "10",
        "app": "1"
      },
      "id": "f04b3e3dc63e02409c231c5a2eb116ab4bfc2f90",
      "listen_addr": "tcp://0.0.0.0:26656",
      "network": "test-chain-BoNlZN",
      "version": "0.31.5",
      "channels": "4020212223303800",
      "moniker": "ubuntu-xenial",
      "other": {
        "tx_index": "on",
        "rpc_address": "tcp://0.0.0.0:26657"
      }
    },
    "sync_info": {
      "latest_block_hash": "D250AA5E809CB0A7FED22A3B0FD1F4E4F11A3289C848221E3537E3112126BA9F",
      "latest_app_hash": "0000000000000000",
      "latest_block_height": "99",
      "latest_block_time": "2019-06-02T11:20:36.144181732Z",
      "catching_up": false
    },
    "validator_info": {
      "address": "59146ABECE793939D662C5DCDDA34838ADEAEB2E",
      "pub_key": {
        "type": "tendermint/PubKeyEd25519",
        "value": "PQZrYL+hG4Jj0UD8WesZnPjfdZkc8NPcvZ6QAgemUus="
      },
      "voting_power": "10"
    }
  }
* Connection #0 to host localhost left intact
}

RPC config (config.toml):

##### rpc server configuration options #####
[rpc]

# TCP or UNIX socket address for the RPC server to listen on
laddr = "tcp://0.0.0.0:26657"

# A list of origins a cross-domain request can be executed from
# Default value '[]' disables cors support
# Use '["*"]' to allow any origin
cors_allowed_origins = []

# A list of methods the client is allowed to use with cross-domain requests
cors_allowed_methods = ["HEAD", "GET", "POST", ]

# A list of non simple headers the client is allowed to use with cross-domain requests
cors_allowed_headers = ["Origin", "Accept", "Content-Type", "X-Requested-With", "X-Server-Time", ]

# TCP or UNIX socket address for the gRPC server to listen on
# NOTE: This server only supports /broadcast_tx_commit
grpc_laddr = ""

# Maximum number of simultaneous connections.
# Does not include RPC (HTTP&WebSocket) connections. See max_open_connections
# If you want to accept a larger number than the default, make sure
# you increase your OS limits.
# 0 - unlimited.
# Should be < {ulimit -Sn} - {MaxNumInboundPeers} - {MaxNumOutboundPeers} - {N of wal, db and other open files}
# 1024 - 40 - 10 - 50 = 924 = ~900
grpc_max_open_connections = 900

# Activate unsafe RPC commands like /dial_seeds and /unsafe_flush_mempool
unsafe = false

# Maximum number of simultaneous connections (including WebSocket).
# Does not include gRPC connections. See grpc_max_open_connections
# If you want to accept a larger number than the default, make sure
# you increase your OS limits.
# 0 - unlimited.
# Should be < {ulimit -Sn} - {MaxNumInboundPeers} - {MaxNumOutboundPeers} - {N of wal, db and other open files}
# 1024 - 40 - 10 - 50 = 924 = ~900
max_open_connections = 900

# Maximum number of unique clientIDs that can /subscribe
# If you're using /broadcast_tx_commit, set to the estimated maximum number
# of broadcast_tx_commit calls per block.
max_subscription_clients = 100

# Maximum number of unique queries a given client can /subscribe to
# If you're using GRPC (or Local RPC client) and /broadcast_tx_commit, set to
# the estimated # maximum number of broadcast_tx_commit calls per block.
max_subscriptions_per_client = 5

# How long to wait for a tx to be committed during /broadcast_tx_commit.
# WARNING: Using a value larger than 10s will result in increasing the
# global HTTP write timeout, which applies to all connections and endpoints.
# See https://github.com/tendermint/tendermint/issues/3435
timeout_broadcast_tx_commit = "10s"

# The name of a file containing certificate that is used to create the HTTPS server.
# If the certificate is signed by a certificate authority,
# the certFile should be the concatenation of the server's certificate, any intermediates,
# and the CA's certificate.
# NOTE: both tls_cert_file and tls_key_file must be present for Tendermint to create HTTPS server. Otherwise, HTTP server is run.
tls_cert_file = "test.crt"

# The name of a file containing matching private key that is used to create the HTTPS server.
# NOTE: both tls_cert_file and tls_key_file must be present for Tendermint to create HTTPS server. Otherwise, HTTP server is run.
tls_key_file = "test.key"

[sunboshan]

@melekes I tested with your branch and it works. The reason it doesn't work on my first few tries is in my config.toml it's using an absolute path for tls cert and key.

[rpc]
tls_cert_file = "/tmp/cert/cert"
tls_key_file = "/tmp/cert/key"

After move the cert and key to $TMHOME/config folder and change config.toml to

[rpc]
tls_cert_file = "cert"
tls_key_file = "key"

It works.

➜ curl -v -k https://127.0.0.1:32767/status
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 32767 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=localhost
*  start date: May 31 20:50:20 2019 GMT
*  expire date: Jun 30 20:50:20 2019 GMT
*  issuer: CN=localhost
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f84d3806600)
> GET /status HTTP/2
> Host: 127.0.0.1:32767
> User-Agent: curl/7.54.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200
< content-type: application/json
< x-server-time: 1559574849
< content-length: 1088
< date: Mon, 03 Jun 2019 15:14:09 GMT
<
...

So in this pr, seems it has to be a relative path to default config dir. Maybe you can change it to support both relative path and absolute path?

The main reason I want to add the tls is not for encryption, but for http/2. Go's net/http supports http/2, but ONLY with tls. Tendermint is using gRPC only for its broadcast_tx_commit rpc. This can be run on http/2 without tls. I looked into the code, the gRPC is using another go's grpc repo, so it's kind of seperate from the net/http.

So the only way I want to use http/2 for tendermint's rpc server is to add tls. I'm not too familiar with golang but is it possible to use net/http's server with http/2 without tls?

Also there's an issue that tendermint's tls enabled http/2 rpc server will shutdown the client connection in about 10 seconds, even the http/2 client is sending ping frame to the server every 5 seconds. Is there a setting that can passed in to rpc server to somehow prevent this? Cause I want to have a long running http/2 connection with tendermint's rpc server for following rpc request. Tearing down the tcp connection and reconnect is kinda expensive.

Thanks for looking into this issue and adding the test!

[sunboshan]

I think here's why tendermint rpc server tears down h2 connections every 10s.

func DefaultConfig() *Config {
	return &Config{
		MaxOpenConnections: 0, // unlimited
		ReadTimeout:        10 * time.Second,
		WriteTimeout:       10 * time.Second,
	}
}

For now, only WriteTimeout can be override by config rpc.timeout_broadcast_tx_commit in here

		if config.WriteTimeout <= n.config.RPC.TimeoutBroadcastTxCommit {
			config.WriteTimeout = n.config.RPC.TimeoutBroadcastTxCommit + 1*time.Second
		}

But the ReadTimeout cannot be set a custom value.

However, the http/2 client i'm using is sending a http/2 ping frame to the server every 5s, the ping's frame only contains a header, with no body. Maybe the ReadTimeout is expecting a request with both header + body? As the docs suggested. Not sure if set the ReadHeaderTimeout would help.

        // ReadTimeout is the maximum duration for reading the entire
        // request, including the body.
        //
        // Because ReadTimeout does not let Handlers make per-request
        // decisions on each request body's acceptable deadline or
        // upload rate, most users will prefer to use
        // ReadHeaderTimeout. It is valid to use them both.
        ReadTimeout time.Duration

        // ReadHeaderTimeout is the amount of time allowed to read
        // request headers. The connection's read deadline is reset
        // after reading the headers and the Handler can decide what
        // is considered too slow for the body.
        ReadHeaderTimeout time.Duration // Go 1.8

But as for now, since there's no way to override the ReadTimeout value, the only way to prevent rpc server from killing a http/2 connection is to send some get request every few seconds.

[gitcoinbot]

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

---

This issue now has a funding of 100.0 DAI (100.0 USD @ $1.0/DAI) attached to it.

• If you would like to work on this issue you can 'start work' on the Gitcoin Issue Details page.
• Want to chip in? Add your own contribution here.
• Questions? Checkout Gitcoin Help or the Gitcoin Slack
• $86,087.72 more funded OSS Work available on the Gitcoin Issue Explorer