aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorteor <teor@torproject.org>2018-12-07 09:29:39 +1000
committerteor <teor@torproject.org>2018-12-07 15:54:32 +1000
commit766fd6cf7666cecc25a94e6cfe46b8b27188ff5d (patch)
tree97c3f51be39fb995d6df90900bf8c9c84e3a4e48
parentd9f36d3e929e5acebbf483e908d0c90aeabf6558 (diff)
downloadtor-766fd6cf7666cecc25a94e6cfe46b8b27188ff5d.tar.gz
tor-766fd6cf7666cecc25a94e6cfe46b8b27188ff5d.zip
Fallbacks: use a 24 hour consensus expiry tolerance
Tor clients will use a consensus that expired up to 24 hours ago. Clients on 0.3.5.5-alpha? and earlier won't select guards from an expired consensus, but they can still bootstrap if they have existing guards. Update the fallback expiry tolerance to match tor's checks. Part of 28768, follow-up on 24661.
-rw-r--r--changes/ticket287684
-rwxr-xr-xscripts/maint/updateFallbackDirs.py29
2 files changed, 21 insertions, 12 deletions
diff --git a/changes/ticket28768 b/changes/ticket28768
new file mode 100644
index 0000000000..ce991c8a42
--- /dev/null
+++ b/changes/ticket28768
@@ -0,0 +1,4 @@
+ o Minor features (fallback directory mirrors):
+ - Accept fallbacks that deliver reasonably live consensuses.
+ (Consensuses that expired less than 24 hours ago.)
+ Closes ticket 28768.
diff --git a/scripts/maint/updateFallbackDirs.py b/scripts/maint/updateFallbackDirs.py
index cf923bfa32..41c4da675e 100755
--- a/scripts/maint/updateFallbackDirs.py
+++ b/scripts/maint/updateFallbackDirs.py
@@ -98,19 +98,24 @@ MUST_BE_RUNNING_NOW = (PERFORM_IPV4_DIRPORT_CHECKS
# Clients have been using microdesc consensuses by default for a while now
DOWNLOAD_MICRODESC_CONSENSUS = True
-# If a relay delivers an expired consensus, if it expired less than this many
-# seconds ago, we still allow the relay. This should never be less than -90,
-# as all directory mirrors should have downloaded a consensus 90 minutes
-# before it expires. It should never be more than 24 hours, because clients
-# reject consensuses that are older than REASONABLY_LIVE_TIME.
-# For the consensus expiry check to be accurate, the machine running this
-# script needs an accurate clock.
+# If a relay delivers an invalid consensus, if it expired less than this many
+# seconds ago, accept the relay as a fallback. For the consensus expiry check
+# to be accurate, the machine running this script needs an accurate clock.
#
-# Relays on 0.3.0 and later return a 404 when they are about to serve an
-# expired consensus. This makes them fail the download check.
-# We use a tolerance of 0, so that 0.2.x series relays also fail the download
-# check if they serve an expired consensus.
-CONSENSUS_EXPIRY_TOLERANCE = 0
+# Relays on 0.3.0 and later return a 404 when they are about to serve a
+# consensus that expired more than 24 hours ago. 0.2.9 and earlier relays
+# will serve consensuses that are very old.
+#
+# A 404 makes relays fail the download check. We use a tolerance of 24 hours,
+# so that 0.2.9 relays also fail the download check if they serve a consensus
+# that is not reasonably live.
+#
+# CONSENSUS_EXPIRY_TOLERANCE should never be more than 24 hours, because
+# clients reject consensuses that are older than REASONABLY_LIVE_TIME. Clients
+# on 0.3.5.5-alpha? and earlier also won't select guards from consensuses that
+# have expired, but can bootstrap if they already have guards in their state
+# file.
+CONSENSUS_EXPIRY_TOLERANCE = 24*60*60
# Output fallback name, flags, bandwidth, and ContactInfo in a C comment?
OUTPUT_COMMENTS = True if OUTPUT_CANDIDATES else False