Merge pull request #6229 from marten-seemann/tls

add an experiment to prefer TLS 1.3 over secio

core/node/groups.go

@@ -38,7 +38,7 @@ func LibP2P(cfg *BuildCfg) fx.Option {
 	opts := fx.Options(
 		BaseLibP2P,
 
-		maybeProvide(P2PNoSecurity, cfg.DisableEncryptedConnections),
+		fx.Provide(P2PSecurity(!cfg.DisableEncryptedConnections)),
 		maybeProvide(Pubsub, cfg.getOpt("pubsub") || cfg.getOpt("ipnsps")),
 
 		fx.Provide(P2PSmuxTransport(cfg.getOpt("mplex"))),

core/node/libp2p.go

@@ -33,6 +33,8 @@ import (
 	"github.com/libp2p/go-libp2p-record"
 	"github.com/libp2p/go-libp2p-routing"
 	"github.com/libp2p/go-libp2p-routing-helpers"
+	secio "github.com/libp2p/go-libp2p-secio"
+	tls "github.com/libp2p/go-libp2p-tls"
 	p2pbhost "github.com/libp2p/go-libp2p/p2p/host/basic"
 	"github.com/libp2p/go-libp2p/p2p/host/routed"
 	mafilter "github.com/libp2p/go-maddr-filter"
@@ -353,12 +355,24 @@ func P2PQUIC(cfg *config.Config) (opts Libp2pOpts, err error) {
 	return
 }
 
-func P2PNoSecurity() (opts Libp2pOpts) {
-	opts.Opts = append(opts.Opts, libp2p.NoSecurity)
-	// TODO: shouldn't this be Errorf to guarantee visibility?
-	log.Warningf(`Your IPFS node has been configured to run WITHOUT ENCRYPTED CONNECTIONS.
+func P2PSecurity(enabled bool) interface{} {
+	if !enabled {
+		return func() (opts Libp2pOpts) {
+			// TODO: shouldn't this be Errorf to guarantee visibility?
+			log.Warningf(`Your IPFS node has been configured to run WITHOUT ENCRYPTED CONNECTIONS.
 		You will not be able to connect to any nodes configured to use encrypted connections`)
-	return opts
+			opts.Opts = append(opts.Opts, libp2p.NoSecurity)
+			return opts
+		}
+	}
+	return func(cfg *config.Config) (opts Libp2pOpts) {
+		if cfg.Experimental.PreferTLS {
+			opts.Opts = append(opts.Opts, libp2p.ChainOptions(libp2p.Security(tls.ID, tls.New), libp2p.Security(secio.ID, secio.New)))
+		} else {
+			opts.Opts = append(opts.Opts, libp2p.ChainOptions(libp2p.Security(secio.ID, secio.New), libp2p.Security(tls.ID, tls.New)))
+		}
+		return opts
+	}
 }
 
 type P2PHostIn struct {

docs/experimental-features.md

@@ -683,3 +683,25 @@ ipfs config --json Swarm.EnableAutoNATService true
 ### Road to being a real feature
 
 - [ ] needs testing
+
+
+## TLS 1.3 as default handshake protocol
+
+### State
+
+Every go-ipfs node (>=0.4.21) accepts secio and TLS 1.3 connections but prefers
+secio over TLS when dialing. To prefer TLS when dialing, you'll have to enable
+this feature.
+
+### How to enable
+
+Modify your ipfs config:
+
+```
+ipfs config --json Experimental.PreferTLS true
+```
+
+### Road to being a real feature
+
+- [ ] needs testing
+- [ ] needs adoption

go.mod

@@ -34,7 +34,7 @@ require (
 	github.com/ipfs/go-ipfs-chunker v0.0.1
 	github.com/ipfs/go-ipfs-cmdkit v0.0.1
 	github.com/ipfs/go-ipfs-cmds v0.0.5
-	github.com/ipfs/go-ipfs-config v0.0.1
+	github.com/ipfs/go-ipfs-config v0.0.2
 	github.com/ipfs/go-ipfs-ds-help v0.0.1
 	github.com/ipfs/go-ipfs-exchange-interface v0.0.1
 	github.com/ipfs/go-ipfs-exchange-offline v0.0.1
@@ -75,7 +75,7 @@ require (
 	github.com/libp2p/go-libp2p-loggables v0.0.1
 	github.com/libp2p/go-libp2p-metrics v0.0.1
 	github.com/libp2p/go-libp2p-net v0.0.2
-	github.com/libp2p/go-libp2p-peer v0.0.1
+	github.com/libp2p/go-libp2p-peer v0.1.0
 	github.com/libp2p/go-libp2p-peerstore v0.0.2
 	github.com/libp2p/go-libp2p-pnet v0.0.1
 	github.com/libp2p/go-libp2p-protocol v0.0.1
@@ -87,6 +87,7 @@ require (
 	github.com/libp2p/go-libp2p-routing-helpers v0.0.2
 	github.com/libp2p/go-libp2p-secio v0.0.1
 	github.com/libp2p/go-libp2p-swarm v0.0.2
+	github.com/libp2p/go-libp2p-tls v0.0.1
 	github.com/libp2p/go-maddr-filter v0.0.1
 	github.com/libp2p/go-stream-muxer v0.0.1
 	github.com/libp2p/go-testutil v0.0.1
@@ -94,11 +95,11 @@ require (
 	github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b // indirect
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/mr-tron/base58 v1.1.0
-	github.com/multiformats/go-multiaddr v0.0.1
+	github.com/multiformats/go-multiaddr v0.0.2
 	github.com/multiformats/go-multiaddr-dns v0.0.2
 	github.com/multiformats/go-multiaddr-net v0.0.1
 	github.com/multiformats/go-multibase v0.0.1
-	github.com/multiformats/go-multihash v0.0.1
+	github.com/multiformats/go-multihash v0.0.2
 	github.com/opentracing/opentracing-go v1.0.2
 	github.com/pkg/errors v0.8.1
 	github.com/prometheus/client_golang v0.9.2
@@ -110,10 +111,11 @@ require (
 	github.com/whyrusleeping/multiaddr-filter v0.0.0-20160516205228-e903e4adabd7
 	github.com/whyrusleeping/tar-utils v0.0.0-20180509141711-8c6c8ba81d5c
 	go.uber.org/atomic v1.3.2 // indirect
-	go.uber.org/dig v1.7.0
+	go.uber.org/dig v1.7.0 // indirect
 	go.uber.org/fx v1.9.0
+	go.uber.org/goleak v0.10.0 // indirect
 	go.uber.org/multierr v1.1.0 // indirect
-	golang.org/x/sys v0.0.0-20190302025703-b6889370fb10
+	golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e
 	golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e // indirect
 	gopkg.in/airbrake/gobrake.v2 v2.0.9 // indirect
 	gopkg.in/cheggaaa/pb.v1 v1.0.28