[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-dev] tor ignores --SigningKeyLifetime when keys exist

To: "tor-dev@xxxxxxxxxxxxxxxxxxxx" <tor-dev@xxxxxxxxxxxxxxxxxxxx>
Subject: [tor-dev] tor ignores --SigningKeyLifetime when keys exist
From: nusenu <nusenu@xxxxxxxxxxxxxxx>
Date: Sat, 28 Nov 2015 11:48:36 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 28 Nov 2015 06:49:04 -0500
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=openmailbox.org; s=openmailbox; t=1448711329; bh=6WmOriD6anQ+3JBqLtdqbcLc3l/Bo7TVbZNhI0jlI5E=; h=From:Subject:To:Date:From; b=wTlhJbRWhNvANB2UVkf/6JEJcLA8cVJfXCwku7Vnn/EIKsp4wXyP3C9FT3JpMNzp5 Ix3OpHj9tVccf/9o2b6TPPgduepcJ0Cs/DOZH2SDOxiESRroC6aYtzAcdyKqJpdEd7 31k0CFnFn/I120gm5O8zE6iiB3XCg2GpxooQAB9o=
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=openmailbox.org; s=openmailbox; t=1448711319; bh=6WmOriD6anQ+3JBqLtdqbcLc3l/Bo7TVbZNhI0jlI5E=; h=From:Subject:To:Date:From; b=VtFBXO9ZQ0mx5i5VxYojiDV3iTjAQvkTgR3aw40LF7/d/ywd0i8DFOR1xOZKhFWqz kw8ZjKnQsFYmmpVEww5/xwm/CExXb1cybFmV99RTl4Fly3Ol75nucz7LSCPeK062kp 2CdbtVSxmcjxgHJvQ2SkjGm8A8OHyru+pQRBvlqc=
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

(thread split from [1])

s7r wrote:
> - - when you run tor --orport [...] just to generate the keys in a
> non-interactive way, include a PublishServerDescriptor 0 in the
> command as well, send the log to /dev/null and terminate the process
> immediately. The descriptor will have to be published by the Tor
> process actually running the relay. If the master id private key is
> not encrypted, --keygen should be able to renew the medium term
> signing key in a non-interactive way. But it's not a big deal if you
> decide to do it with tor --orport [...] if it's easier for you this way.

Turns out my workaround to generate keys without a passphrase
non-interactively is not working entirely in every case since tor
apparently ignores --SigningKeyLifetime (when used without --keygen)
when keys exist: Signing keys are not (re)generated according to the
(new) SigningKeyLifetime parameter (signing key/cert remains unchanged).

reproducer:
mkdir tdata
tor --PublishServerDescriptor 0 --orport 1234 --datadirectory tdata
--list-fingerprint --quiet

(new signing key with default expiry created)

attempt to change (reduce) expiry:
tor --PublishServerDescriptor 0 --orport 1234 --datadirectory tdata
--SigningKeyLifetime "1 week" --list-fingerprint --quiet

expected result: key lifetime is reduced to 7 days
actual result: key lifetime is not changed (remains at 1 month)

(invoking tor with --keygen causes the expected lifetime but can not be
run non-interactively if keys do not exist)

So I reopened [2].



[1] https://lists.torproject.org/pipermail/tor-dev/2015-November/009959.html
[2] https://trac.torproject.org/projects/tor/ticket/17127
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] tor ignores --SigningKeyLifetime when keys exist
  - From: s7r

Prev by Author: Re: [tor-dev] OfflineMasterKey / ansible-relayor
Next by Author: Re: [tor-dev] tor ignores --SigningKeyLifetime when keys exist
Previous by thread: Re: [tor-dev] [Applications Team] Meeting next Tuesday 19:00 UTC
Next by thread: Re: [tor-dev] tor ignores --SigningKeyLifetime when keys exist
Index(es):
- Author
- Thread