[DO NOT MERGE] Ssl on top of random unmerged stuff #4011
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Thanks to iDunk for lots of testing to get this to work on Windows
It turns out this can be fairly heavy when logging a lot
also use reserve where appropriate
Processing typically is the bottleneck
key derivation and checking for incoming outputs are threaded in batch before adding blocks to the local blockchain. Other minor bits and bobs are also cached.
Decrease the number of worker threads by one to account for the fact the calling thread acts as a worker thread now
Speeds up syncing with a lot of outgoing outputs as key generation runs Cryptonight.
This can happen when there's a very large reorg on the daemon (ie, on testnet)
This gets rid of an innocuous race trying to add the same tx twice to the txpool
This means monero-wallet-rpc still does, but the user level program does not.
Cold signing was always using Borromean range proofs, causing a larger tx, and an incorrect fee
a connection's timeout is halved for every extra connection from the same host. Also keep track of when we don't need to use a connection anymore, so we can close it and free the resource for another connection. Also use the longer timeout for non routable local addresses.
This would make monerod use 100% CPU when running with torsocks without Tor running
This reverts commit 0fd2508.
instead of a random ratio from 60% to 90%.
for privacy reasons, so an untrusted node can't easily track wallets from IP address to IP address, etc. The granularity is 1024 blocks, which is about a day and a half.
This would cause crashes when trying to tag an account that was just created
P2P and RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{p2p,rpc,daemon}-ssl-private-key and
--{p2p,rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{p2p,rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--{p2p,rpc}-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
They're controllable by potential attackers and would just spam
This should help new nodes predict how much disk space will be needed for a full sync
This avoids constant rechecking of the same things each time a miner asks for the block template. The tx pool maintains a cookie to allow users to detect when the pool state changed, which means the block template needs rebuilding.
moneromooo-monero
force-pushed
the
ssl-on-top-of-random-unmerged-stuff
branch
from
e02733a
to
d48dd24
Compare
|
Rebased to #4054 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This doesn't apply on master because of random unmerged patches, so this goes here for now.
This is on top of the v3 db, so only use if you don't mind not being able to use a v2 db branch again.
The actual reviewable SSL commit is
f2c0467now 3fd2b80