|
| 1 | +import { BlogPostLayout } from '@/components/BlogPostLayout' |
| 2 | +import { MotionCanvas } from '@/components/MotionCanvas' |
| 3 | + |
| 4 | +export const post = { |
| 5 | + draft: false, |
| 6 | + author: 'ramfox', |
| 7 | + date: '2025-03-18', |
| 8 | + title: 'iroh v0.34 - Raw Public Keys in TLS', |
| 9 | + description: 'Iroh 0.34 release', |
| 10 | +} |
| 11 | + |
| 12 | +export const metadata = { |
| 13 | + title: post.title, |
| 14 | + description: post.description, |
| 15 | + openGraph: { |
| 16 | + title: post.title, |
| 17 | + description: post.description, |
| 18 | + images: [{ |
| 19 | + url: `/api/og?title=Blog&subtitle=${post.title}`, |
| 20 | + width: 1200, |
| 21 | + height: 630, |
| 22 | + alt: post.title, |
| 23 | + type: 'image/png', |
| 24 | + }], |
| 25 | + type: 'article' |
| 26 | + } |
| 27 | +} |
| 28 | + |
| 29 | +export default (props) => <BlogPostLayout article={post} {...props} /> |
| 30 | + |
| 31 | +Welcome to a new release of `iroh`, a library for building on direct connections between devices, putting more control in the hands of your users. |
| 32 | + |
| 33 | +We have one major addition in `iroh` and one major addition in `iroh-blobs` this release: the ability to use Raw Public Keys in TLS certificates in `iroh` and an expanded `Tags` API in `iroh-blobs`. Also, for folks who relay on `Discovery` to find locally discovered nodes in your network, we’ve done a major rename, from `LocalSwarmDiscover` to `MdnsDiscovery`. |
| 34 | + |
| 35 | +## 🔑 Raw Public Keys in TLS Certificates |
| 36 | + |
| 37 | +Thanks to the work done by the [libp2p](https://libp2p.io/) team, we have been able to use [self-signed certificates](https://github.com/libp2p/specs/blob/master/tls/tls.md) to enable QUIC connections between endpoints. However, that comes with carrying around a lot of custom code that makes adjustments to the way that TLS certificates are verified. |
| 38 | + |
| 39 | +With the addition of [raw public keys](https://datatracker.ietf.org/doc/html/rfc7250) in `iroh`, we can follow the TLS 1.3 specification to make encrypted connections between two peers using public keys in TLS certificates. It's important to the n0 team to lean into open standards as much as we can. This change also gives us more options, for example, we can possibly move to using OpenSSL for our TLS needs, since it supports Raw Public Keys. |
| 40 | + |
| 41 | +While this a great change for `iroh` as we move forward, switching over to raw public keys in your code is a major breaking change: nodes that use the “old” version, `iroh` at `v0.33.0` or earlier, will not be able to talk to nodes using raw public keys in TLS. |
| 42 | + |
| 43 | +To ease the transition, we’ve made raw public keys **default** in `iroh`, but have added a simple API to keep the old `X.509` certificates in TLS possible. |
| 44 | + |
| 45 | +### Let’s talk about breaking changes… |
| 46 | + |
| 47 | +There are a few wire-level breaking changes that will eventually pop up in `iroh` for the 1.0 release, and this is one of them. We are doing our best to hold onto all of the legacy code for as long as possible, and only remove the old legacy *once* before the `iroh` 1.0 release. This will likely occur for our first release candidate, though it’s possible it will happen before. |
| 48 | + |
| 49 | +Either way, please note: there *will* be a major breaking change coming. We will make sure to sign-post it well, so you have plenty of warning! |
| 50 | + |
| 51 | +### Back to Raw Public Keys! |
| 52 | + |
| 53 | +We’ve added the ability to use raw public keys in TLS certificates, by default. |
| 54 | + |
| 55 | +To make the transition smooth, however, we you can keep your endpoint on `X.509` certificates easily: |
| 56 | + |
| 57 | +```rust |
| 58 | +let endpoint = Endpoint::builder() |
| 59 | + .tls_x509() // <--- this enables the old style TLS authentication |
| 60 | + // ... |
| 61 | + .bind(); |
| 62 | +``` |
| 63 | + |
| 64 | +Eventually, before 1.0, this option will be removed, but you will get fair warning! |
| 65 | + |
| 66 | +Checkout [PR #2937](https://github.com/n0-computer/iroh/pull/2937) for more details. |
| 67 | + |
| 68 | +## 🏷️ Expanded Tag API in `iroh-blobs` |
| 69 | + |
| 70 | +A `Tag` in `iroh-blobs` is a name you can give to content to mark it as important. It also functions as a way to tell the `iroh-blobs` garbage collector “keep this around, I want it.” |
| 71 | + |
| 72 | +We previously had a relatively limited API around tags, but it’s been largely expanded for this most recent release of `iroh-blobs`. They are a very useful concept, and can allow you to associated arbitrary data with a hash inside your node. For more on tags, check out the [tags blog post](https://iroh.computer/blog/a-richer-tags-api), that goes into detail about the API and gives examples on how it can be used. |
| 73 | + |
| 74 | +For an overview on the API changes, I’ll leave you with an excerpt from the blog: |
| 75 | + |
| 76 | +> The current API has been extended to give the full capability of a key-value store for tags. You can get the value of individual tags, list them by range or prefix, and even bulk delete them by range or prefix. In addition we added the ability to atomically rename a tag. |
| 77 | +> |
| 78 | +
|
| 79 | +> Be really careful with bulk deletion of tags. If you delete all tags, all your data will soon be gone. |
| 80 | +> |
| 81 | +
|
| 82 | +Check out [PR #69](https://github.com/n0-computer/iroh-blobs/pull/69) and the [tags blog post](https://iroh.computer/blog/a-richer-tags-api) for more details. |
| 83 | + |
| 84 | +## 🗺️ Rename `LocalSwarmDiscovery` to `MdnsDiscovery` |
| 85 | + |
| 86 | +We were being too pedantic when naming `LocalSwarmDiscovery`. The crate we rely on, `swarm-discovery`, is an opinionated implementation of `mDNS`. Naming the discovery system `LocalSwarm` is confusing, when networking folks likely already understand the purpose of `mDNS`. It’s changed now. `iroh::discovery::local_swarm_discovery` is now `iroh::discovery::mdns`, and `iroh::discovery::local_swarm_discovery::LocalSwarmDiscovery` is now `iroh::discovery::mdns::MdnsDiscovery` . |
| 87 | + |
| 88 | +Checkout [PR #3215](https://github.com/n0-computer/iroh/pull/3215) for more details. |
| 89 | + |
| 90 | +## ⚠️ Breaking Changes |
| 91 | + |
| 92 | +- `iroh` |
| 93 | + - added: |
| 94 | + - `endpoint::Builder::tls_x509` to enable using X.509 TLS certificates. |
| 95 | + - changed: |
| 96 | + - renamed `iroh::discovery::local_swarm_discovery` to `iroh::discovery::mdns` |
| 97 | + - renamed `iroh::discovery::local_swarm_discovery::LocalSwarmDiscovery` to `iroh::discovery::mdns::MdnsDiscovery` |
| 98 | + - changed the default cert format for `Reloading` certificate mode from `DER` to `PEM` |
| 99 | + - trait method `ProtocolHandler::accept(&self, connection: iroh::endpoint::Connection)` used to take an `iroh::endpoint::Connecting`, now takes a `iroh::endpoint::Connection`. |
| 100 | +- `iroh-net-report` |
| 101 | + - removed: |
| 102 | + - `iroh-base`: We removed the unused `getrandom` optional dependency. As such, there doesn't exist a `getrandom` feature flag in `iroh-base` anymore. |
| 103 | + - `MAPPED_ADDR_PORT` is removed. |
| 104 | + - changed: |
| 105 | + - `IpMappedAddr::socket_addr` -> `IpMappedAddr::private_socket_addr` |
| 106 | + |
| 107 | +### But wait, there's more! |
| 108 | + |
| 109 | +Many bugs were squashed, and smaller features were added. For all those details, check out the full changelog: [https://github.com/n0-computer/iroh/releases/tag/v0.34.0](https://github.com/n0-computer/iroh/releases/tag/v0.34.0). |
| 110 | + |
| 111 | +If you want to know what is coming up, check out the [v0.35.0 milestone](https://github.com/n0-computer/iroh/milestone/42), and if you have any wishes, let us know about the [issues](https://github.com/n0-computer/iroh/issues)! If you need help using iroh or just want to chat, please join us on [discord](https://discord.com/invite/DpmJgtU7cW)! And to keep up with all things iroh, check out our [Twitter](https://x.com/iroh_n0). |
0 commit comments