diff options
author | teor <teor@torproject.org> | 2018-12-07 09:29:39 +1000 |
---|---|---|
committer | teor <teor@torproject.org> | 2018-12-07 15:54:32 +1000 |
commit | 766fd6cf7666cecc25a94e6cfe46b8b27188ff5d (patch) | |
tree | 97c3f51be39fb995d6df90900bf8c9c84e3a4e48 /scripts/maint/updateFallbackDirs.py | |
parent | d9f36d3e929e5acebbf483e908d0c90aeabf6558 (diff) | |
download | tor-766fd6cf7666cecc25a94e6cfe46b8b27188ff5d.tar.gz tor-766fd6cf7666cecc25a94e6cfe46b8b27188ff5d.zip |
Fallbacks: use a 24 hour consensus expiry tolerance
Tor clients will use a consensus that expired up to 24 hours ago.
Clients on 0.3.5.5-alpha? and earlier won't select guards from an expired
consensus, but they can still bootstrap if they have existing guards.
Update the fallback expiry tolerance to match tor's checks.
Part of 28768, follow-up on 24661.
Diffstat (limited to 'scripts/maint/updateFallbackDirs.py')
-rwxr-xr-x | scripts/maint/updateFallbackDirs.py | 29 |
1 files changed, 17 insertions, 12 deletions
diff --git a/scripts/maint/updateFallbackDirs.py b/scripts/maint/updateFallbackDirs.py index cf923bfa32..41c4da675e 100755 --- a/scripts/maint/updateFallbackDirs.py +++ b/scripts/maint/updateFallbackDirs.py @@ -98,19 +98,24 @@ MUST_BE_RUNNING_NOW = (PERFORM_IPV4_DIRPORT_CHECKS # Clients have been using microdesc consensuses by default for a while now DOWNLOAD_MICRODESC_CONSENSUS = True -# If a relay delivers an expired consensus, if it expired less than this many -# seconds ago, we still allow the relay. This should never be less than -90, -# as all directory mirrors should have downloaded a consensus 90 minutes -# before it expires. It should never be more than 24 hours, because clients -# reject consensuses that are older than REASONABLY_LIVE_TIME. -# For the consensus expiry check to be accurate, the machine running this -# script needs an accurate clock. +# If a relay delivers an invalid consensus, if it expired less than this many +# seconds ago, accept the relay as a fallback. For the consensus expiry check +# to be accurate, the machine running this script needs an accurate clock. # -# Relays on 0.3.0 and later return a 404 when they are about to serve an -# expired consensus. This makes them fail the download check. -# We use a tolerance of 0, so that 0.2.x series relays also fail the download -# check if they serve an expired consensus. -CONSENSUS_EXPIRY_TOLERANCE = 0 +# Relays on 0.3.0 and later return a 404 when they are about to serve a +# consensus that expired more than 24 hours ago. 0.2.9 and earlier relays +# will serve consensuses that are very old. +# +# A 404 makes relays fail the download check. We use a tolerance of 24 hours, +# so that 0.2.9 relays also fail the download check if they serve a consensus +# that is not reasonably live. +# +# CONSENSUS_EXPIRY_TOLERANCE should never be more than 24 hours, because +# clients reject consensuses that are older than REASONABLY_LIVE_TIME. Clients +# on 0.3.5.5-alpha? and earlier also won't select guards from consensuses that +# have expired, but can bootstrap if they already have guards in their state +# file. +CONSENSUS_EXPIRY_TOLERANCE = 24*60*60 # Output fallback name, flags, bandwidth, and ContactInfo in a C comment? OUTPUT_COMMENTS = True if OUTPUT_CANDIDATES else False |