Using my capsule as guinea pig (upgrading Trantor TLS infrastructure)

home

A while ago, I announced my plan to rewrite how Trantor does TLS. I finally found the motivation to do it. The plan was quite in the right direction and I'm at the point where I can start testing the new code. To test in a real world environment, I think it's easier and better to use my capsule as an experiment. If you find it suddenly stops working, you know why and please let me know.

The experiment will start the night this post published and last for a few weeks to a month. I'll update once everything is stable.

(2022-Nov-19) Complaining about Trantor's SSL code and my plains to fix it

Some technical details:

  • TLS backend is now Botan2 instead of OpenSSL
  • OpenSSL will be added back very soon

Gemini only changes. The capsule may feel a bit slower due to lack of TLS 1.3:

  • Only TLS 1.2 is available
  • TLS session resumption is supported
  • Weak ciphers disabled

Common Web changes:

  • Nothing (since HTTPS is handled by Nginx)

Site function, path, atom feed, etc. should not be affected.

Update

  • 2023-Feb-10: Tried the OpenSSL backend. Found that ChangeCipherSpec is not sent and fixed subsequently. gmni and amfora can connect to the capsule now. But Lagrange still hangs after the handshake. Switched back to Botan2. I'm quite happy Botan have been behaving very well.
  • 2023-Feb-11: Lagrange is fixed. Application can send data in the same Ethernet frame as ChangeCipherSpec. The capsule now uses OpenSSL backend. Hope it is stable.
  • 2023-Feb-16: Cleaned up the code. Still using OpenSSL backend. No problem so far. Man, TLS 1.3 really made Gemini feel faster.
  • 2023-Feb-23: Turns out I need to rearchicture the refactor. Data streaming won't work under the current deisgn.
  • 2023-Feb-28: Got data streaming to work on both OpenSSL and Botan2, running on OpenSSL now. I'm very close to the finish line. Missing some Windows bug fixes delayed TLS support.
  • 2023-Mar-01: There's a fatal issue in handling large file sending along using async sockets. Larger files will fail to send. Need more time to fix it.
  • 2023-Mar-02: Large file sending is fixed.
  • 2023-Mar-03: Pull request is ready. Waiting for reviews from other core developers.
  • 2023-Mar-06: Fixed sending large files and large response handling. Hope this is the last bug.
  • 2023-Mar-09: The Botan backend passed review from Botan core developers. Nice! The OpenSSL backend is on it's own (but it's backported code anyway). TLGS crawler is experiencing some issues with the OpenSSL backend, debugging. (Haven't tried the botan backend yet).
  • 2023-Mar-19: TLGS crawler is fixed. Very close to gettingg this merged.
  • 2023-Mar-30: Merged! Now live on the master branch.
Author's profile. Photo taken in VRChat by my friend Tast+
Martin Chang
Systems software, HPC, GPGPU and AI. I mostly write stupid C++ code. Sometimes does AI research. Chronic VRChat addict

I run TLGS, a major search engine on Gemini. Used by Buran by default.


  • marty1885 \at protonmail.com
  • Matrix: @clehaxze:matrix.clehaxze.tw
  • Jami: a72b62ac04a958ca57739247aa1ed4fe0d11d2df