Skip to content

Properly handle expired identities in gossip (release-2.5)#5122

Merged
yacovm merged 2 commits intohyperledger:release-2.5from
denyeart:gossip_rewnew_certs_25
Jan 27, 2025
Merged

Properly handle expired identities in gossip (release-2.5)#5122
yacovm merged 2 commits intohyperledger:release-2.5from
denyeart:gossip_rewnew_certs_25

Conversation

@denyeart
Copy link
Contributor

@denyeart denyeart commented Jan 27, 2025

When a peer's certificate expires, gossip still retains past messages it has sent, and gossips them to other peers.

Aside from peers doing redundant work, this also impairs their connectivity to the peer with the renewed certificate.

The reason is that peers try connect to the peer of the renewed certificate but abort because they cannot find its (old) PKI-ID in the identity store, which purged its old PKI-ID once its certificate has expired.

This commit fixes this problem by making the peer forget about peers that their identities have been purged from the identity store.

@denyeart
Properly handle expired identities in gossip
676a6ff 
When a peer's certificate expires, gossip still retains past messages
it has sent, and gossips them to other peers.

Aside from peers doing redundant work, this also impairs their
connectivity to the peer with the renewed certificate.

The reason is that peers try connect to the peer of the renewed
certificate but abort because they cannot find its (old) PKI-ID
in the identity store, which purged its old PKI-ID once its
certificate has expired.

This commit fixes this problem by making the peer forget
about peers that their identities have been purged from
the identity store.

Signed-off-by: David Enyeart <enyeart@us.ibm.com>
Signed-off-by: Yacov Manevich <yacov.manevich@gmail.com>
@denyeart denyeart requested a review from a team as a code owner January 27, 2025 13:31
yacovm
yacovm previously approved these changes Jan 27, 2025
View reviewed changes
@yacovm yacovm enabled auto-merge (squash) January 27, 2025 13:39
@denyeart denyeart force-pushed the gossip_rewnew_certs_25 branch from 76a8649 to d1fdf8d Compare January 27, 2025 15:35
@denyeart
Fix gossip cert renewal integration test
7854362 
The membership check via discovery does not work consistently
due to the renewed cert signature not matching expectations.
For now, it is sufficient to do the membership check
via checking the log.

Signed-off-by: David Enyeart <enyeart@us.ibm.com>
@denyeart denyeart force-pushed the gossip_rewnew_certs_25 branch from d1fdf8d to 7854362 Compare January 27, 2025 16:03
@denyeart
Copy link
Contributor Author

denyeart commented Jan 27, 2025
edited
Loading

@yacovm I had to update the integration tests for different timings in release-2.5 to avoid flakes.
This should be the last approval needed for the issue.
Also made main branch consistent in #5123

Finally, I've also opened PRs for v2.5.11 release to deliver the fix - #5124 and #5125

@yacovm yacovm merged commit 52bb909 into hyperledger:release-2.5 Jan 27, 2025
14 checks passed
@denyeart denyeart mentioned this pull request Feb 6, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yacovm yacovm yacovm approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@denyeart @yacovm