chia-blockchain icon indicating copy to clipboard operation
chia-blockchain copied to clipboard

Published 20 hours ago verified publisher icon Chia-Network

Connecting to FQDN peers with SNI is broken

Open felixbrucker opened this issue 9 months ago • 13 comments

Currently when a FQDN is used to connect to a peer which requires SNI to correctly route the request to the host, no connection can be established. This is due to chia itself resolving the host and using the resulting ip to connect to it, breaking SNI.

felixbrucker avatar Apr 28 '24 19:04 felixbrucker

3.9 aiohttp supports SNI so maybe it can be added

https://github.com/aio-libs/aiohttp/pull/7543

What feature are you trying to implement exactly felix?

wjblanke avatar May 01 '24 16:05 wjblanke

I wanted to connect to a full node behind cloudflare, but it would be the same for users trying to connect to one behind nginx, given that they host multiple servers on the same port, for example 443. This however is currently broken and does not work, as the correct endpoint to connect to can not be mapped as that info is missing (bc it connects to the resolved ip instead of connecting to the hostname in the config, and letting the library handle resolving and properly connecting to it).

felixbrucker avatar May 01 '24 16:05 felixbrucker

I did some testing, i think there are two approaches to solve this:

  • the normal way: pass in the host to ws_connect, for example: ws_connect("wss://some-fqdn.com/ws") instead of ws_connect("wss://1.2.3.4/ws"). In this case aiohttp already handles everything correctly and a connection can be established.
  • the ugly way: continue to pass in the resolved ip as url, but also pass through the server_name argument and Host header set to the fqdn, for example:
ws_connect(
  "wss://1.2.3.4/ws",
  server_hostname=unresolved_peer_info.host,
  headers={
    "Host": unresolved_peer_info.host,
  },
)

Currently aiohttp can not set the server_hostname for ws_connect, see https://github.com/aio-libs/aiohttp/pull/7942 (has been on main for 6 months)

felixbrucker avatar May 03 '24 02:05 felixbrucker

Is this just farmers trying to connect to a node or do you want node-node traffic working like this?

wjblanke avatar May 08 '24 16:05 wjblanke

I'd love to see it work for both, but primary is farmer to node

felixbrucker avatar May 08 '24 16:05 felixbrucker

Looks like we need a new release of main aiohttp as well

wjblanke avatar May 08 '24 16:05 wjblanke

we can probably get farmer to node working

wjblanke avatar May 08 '24 16:05 wjblanke

for the ugly way, yes

i'd much prefer the correct way

felixbrucker avatar May 08 '24 16:05 felixbrucker

node - node gossip may be an issue. i think it only supports ip. the bigger issue is the current strategy for nodes is to resolve as early as possible, so this is opposite of that.

wjblanke avatar May 08 '24 16:05 wjblanke

Yeah resolving happens in chia-blockchain before connecting and it makes sense for network based configs, like determining if a peer is trusted/whitelisted etc, but i'm not sure for which other reasons this might happen, or is needed even.

felixbrucker avatar May 08 '24 17:05 felixbrucker

In the interim would running a proxy work to map the IP connections to a domain name? Its kludgy but should work

wjblanke avatar Jul 03 '24 16:07 wjblanke

Nope, because if you map ip to domain in a proxy you could just host on the ip itself in the first place, which is not desired and possible in my case.

felixbrucker avatar Jul 03 '24 16:07 felixbrucker

it is in our backlog as i mentioned in discord, not sure if this is an especially priority issue however.

jack60612 avatar Jul 03 '24 20:07 jack60612