qBittorrent icon indicating copy to clipboard operation
qBittorrent copied to clipboard

Published 20 hours ago verified publisher icon qbittorrent

Add support for SSL torrents

Open Chocobo1 opened this issue 5 months ago • 7 comments

This is a revise of PR #19542. The 'SSL torrent' feature is not standardized. I.e. there are no BEP (BitTorrent Enhancement Proposals) associated with it, so we do not greatly encourage its usage as it will only work with libtorrent clients and derivatives. It will not work with other torrent clients that do not support the libtorrent specific implementation. This PR aims to provide minimal support for those who need SSL torrents. Furthermore, it is intended that there will be no UI support (nor indication) of adding/creating SSL torrents.

  • Prerequisites: I omit the instructions of creating those files as the intended audience (experts & advanced users) should have no problem with it. All files are as follow:

    1. Root (torrent publisher) certificate
    2. Root private key
    3. A .torrent file created with root certificate
    4. Peer certificate (signed by the root certificate)
    5. Peer private key
    6. Diffie-Hellman parameters file

    All files are stored in .pem format.

  • Enable SSL torrent protocol in qbt There are 2 hidden keys to put in qbt config file, under [BitTorrent] section:

    1. Session\SSL\Enabled: set it to true.
    2. Session\SSL\Port: set it to some unused port or omit the key entirely to let qbt pick one for you.

  • Add an SSL torrent to qbt The only way of adding an SSL torrent is via WebAPI. The /api/v2/torrents/add endpoint will support 3 additional parameters. You must provide them for an SSL torrent.

    1. ssl_certificate: Contents of the peer certificate file (in PEM format).
    2. ssl_private_key: Contents of the peer private key file.
    3. ssl_dh_params: Contents of the Diffie-Hellman parameters file.

  • Change the SSL parameters to a torrent In case you provided wrong SSL parameters when adding a torrent, there is a new endpoint /api/v2/torrents/setSSLParameters that you can update the SSL parameters. The parameters (ssl_*) are the same as /api/v2/torrents/add endpoint.

  • Query the SSL parameters of a torrent There is a new endpoint /api/v2/torrents/SSLParameters that you can query the SSL parameters of a torrent.

References:

  • https://www.libtorrent.org/manual-ref.html#ssl-torrents
  • https://blog.libtorrent.org/2012/01/bittorrent-over-ssl/

ps. I intend to use 'squash and merge' for merging.

Chocobo1 avatar Jan 27 '24 17:01 Chocobo1

Hi @Chocobo1 . Thank you for taking your time to work on it. Unfortunately, the PR in its current form is useless for the use-case I intended when creating my initial PR. That's because having access to the qbittorrent admin interface doesn't necessarily mean also having the access necessary for uploading the ssl_certificate/ssl_private_key/ssl_dh_params content to the filesystem.

I'm a maintainer of a data-management application which, since recently, has merged the initial support for using qbittorrent as a tool to move the managed data between storage servers (https://github.com/rucio/rucio/blob/30cf6ed7a2be6b13c76b649cdc52b6bcc48f81a7/lib/rucio/transfertool/bittorrent.py#L130).

In https://github.com/qbittorrent/qBittorrent/pull/19542, it was possible to generate these temporary SSL keys on-the-fly and add them via the API, without having to put them on the file system via a side channel. Here is my initial working prototype which relied on qbittorrent built with my two PRs (https://github.com/rcarpa/qBittorrent/commits/patch-release-4.6.0rc2/) to execute secure transfers using SSL torrents in our application: https://github.com/rcarpa/rucio/blob/61c3cfafc02170ef5da737e5b100519472519e97/lib/rucio/transfertool/bittorrent.py#L286

Would it be possible to allow setting these certificates either by path, or by their content?

rcarpa avatar Jan 29 '24 08:01 rcarpa

Would it be possible to allow setting these certificates either by path, or by their content?

On a second thought, it would definitely be easier for webapi/webui users to transfer the SSL parameter contents (similar to users uploading the .torrent file). This will change the following:

  • ssl_certificate: ~A filesystem path to~ Contents of the peer certificate file (in PEM format).
  • ssl_private_key: ~A filesystem path to~ Contents of the peer private key file.
  • ssl_dh_params: ~A filesystem path to~ Contents of the Diffie-Hellman parameters file.

Does that sound good for you? I'll make the changes and let you know when it is done.

Chocobo1 avatar Jan 29 '24 13:01 Chocobo1

Hi. Yes, this would be perfect. Thank you!

rcarpa avatar Jan 29 '24 13:01 rcarpa

Hi. Yes, this would be perfect. Thank you!

@rcarpa It is done.

Chocobo1 avatar Feb 03 '24 05:02 Chocobo1

@rcarpa It would be great if you can verify that this PR will work for you.

Chocobo1 avatar Feb 10 '24 18:02 Chocobo1

@Chocobo1 Is this PR ready to be reviewed?

glassez avatar Feb 16 '24 17:02 glassez

@Chocobo1 Is this PR ready to be reviewed?

Yes.

Chocobo1 avatar Feb 18 '24 05:02 Chocobo1

I have not seen this PR before the message:

  • https://github.com/qbittorrent/qBittorrent/pull/19542#issuecomment-1962911187

@Chocobo1: Good job!

Neustradamus avatar Feb 25 '24 13:02 Neustradamus