Skip to content

TLS documentation for Issue #700 #844

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 13 commits into
base: main
Choose a base branch
from
Open

TLS documentation for Issue #700 #844

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
7a6b530
tls support
Fatumayattani Aug 15, 2025
d0345b6
update tls docs
Fatumayattani Aug 15, 2025
7dd3469
update tls support
Fatumayattani Aug 15, 2025
bfbc389
update changes
Fatumayattani Aug 15, 2025
a9b510e
tls support
Fatumayattani Aug 15, 2025
6ea3016
tls support doc #700
Fatumayattani Aug 15, 2025
77f4764
Add tls-support.rst to docs toctree
Fatumayattani Aug 17, 2025
cc68f63
Merge branch 'main' into main
seetadev Aug 18, 2025
73d44ed
Replace asyncio with trio, fix newline, and run pre-commit checks on …
Fatumayattani Aug 19, 2025
91434a2
Merge branch 'main' into main
seetadev Aug 25, 2025
1a52d56
Merge branch 'main' into main
seetadev Aug 28, 2025
ced2f1d
Merge branch 'main' into main
seetadev Sep 1, 2025
016c735
Merge branch 'main' into main
seetadev Sep 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions docs/index.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ The Python implementation of the libp2p networking stack

Examples <examples>
API <libp2p>
tls-support

.. toctree::
:maxdepth: 1
Expand Down
161 changes: 161 additions & 0 deletions docs/tls-support.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,161 @@
Py-libp2p – TLS Support Documentation
======================================================

.. contents::
:depth: 2
:local:

Overview of TLS in Libp2p
-------------------------

**Purpose of TLS in P2P networking**

- Encrypts data between peers.
- Authenticates peer identity using certificates.
- Prevents man-in-the-middle attacks.

**Integration in libp2p security modules**

- TLS is one of the supported secure channel protocols (alongside Noise).
- Negotiated during connection setup.

**Current status**

- **py-libp2p**: Experimental, usable for local and interop tests.
- **go-libp2p / js-libp2p**: Stable and production-ready.

Installation Requirements
-------------------------

**Python requirements**

- Python 3.8+

**Install with TLS support**

.. code-block:: bash

pip install "libp2p[tls]"

**Additional dependencies**

Ubuntu / Debian:

.. code-block:: bash

sudo apt install build-essential python3-dev libffi-dev libssl-dev

macOS:

.. code-block:: bash

brew install openssl

Enabling TLS in py-libp2p
-------------------------

**Working example – Listener and Dialer**
Copy link
Contributor

@acul71 acul71 Aug 18, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Optional:
If you want you can add the example in the examples/ directory https://github.com/libp2p/py-libp2p/tree/main/examples
and include that in tls-support.rst see https://github.com/libp2p/py-libp2p/blob/main/docs/examples.identify.rst


Listener node:

.. code-block:: python

import trio
from libp2p import new_host
from libp2p.security.tls.transport import TLSTransport

async def main():
host = await new_host(security_transports=[TLSTransport()])
await host.listen("/ip4/0.0.0.0/tcp/8000")
print("TLS-enabled listener at:", host.get_addrs())

await trio.sleep_forever()

if __name__ == "__main__":
trio.run(main())

Dialer node:

.. code-block:: python

import trio
from libp2p import new_host
from libp2p.security.tls.transport import TLSTransport
from libp2p.peer.peerinfo import info_from_p2p_addr

async def main():
host = await new_host(security_transports=[TLSTransport()])

addr = "/ip4/127.0.0.1/tcp/8000/p2p/QmPeerIDHere"
peer_info = info_from_p2p_addr(addr)

await host.connect(peer_info)
print("Connected securely to", peer_info.peer_id)

if __name__ == "__main__":
trio.run(main())

**Defaults if no configuration is provided**

- Generates a self-signed certificate automatically.

Certificate Management
----------------------

**Generate a development certificate**

.. code-block:: bash

openssl req -x509 -newkey rsa:2048 \
-keyout key.pem -out cert.pem \
-days 365 -nodes -subj "/CN=py-libp2p"

- Store keys outside version control.
- Rotate certificates every 90 days in production.

Testing TLS Connections
-----------------------

**Local test steps**

1. Run the listener example.
2. Start the dialer with the listener's multiaddress.
3. Confirm the secure connection in logs.

**Interop testing**

- Ensure both nodes advertise `/tls/1.0.0`.
- Peer IDs must match certificate public keys.

Security Considerations
-----------------------

- Never disable certificate verification in production.
- Use TLS 1.3 or later.
- Pin certificates for critical peers.

Troubleshooting
---------------

.. list-table::
:header-rows: 1
:widths: 30 30 40

* - Problem
- Cause
- Solution
* - Certificate not trusted
- Self-signed without trust store entry
- Add cert to local trust store or disable verification **only** in testing.
* - Protocol negotiation failed
- One peer does not support `/tls/1.0.0`
- Enable TLS on both peers or use Noise.
* - SSL handshake failure
- TLS version mismatch or clock skew
- Enforce TLS 1.3, sync system clock.
* - `ImportError: No module named libp2p.security.tls`
- TLS extras not installed
- Run `pip install "libp2p[tls]"`.
* - Connection refused
- Port blocked or listener not running
- Check firewall rules and listener status.