You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After #1341, inbound TLS uses ssl.CERT_OPTIONAL in libp2p/security/tls/transport.py (~line 146). This requests a client certificate and triggers OpenSSL PKIX verification. libp2p peers use self-signed identity certificates verified via the libp2p X.509 extension (libp2p TLS spec), not a CA chain.
When the dialer presents its self-signed libp2p cert, the listener's OpenSSL stack rejects it with TLSV1_ALERT_UNKNOWN_CAbefore post-handshake libp2p extension verification runs.
Why unit tests pass
tests/core/security/tls/test_tls.py and tests/utils/factories.py call trust_peer_cert_pem() before handshake — pre-loading peer certs as trusted CAs. Real interop (perf harness) does not and should not need this.
Expected fix
Align with Go/rustls libp2p TLS:
Disable PKIX/CA verification at the OpenSSL layer for peer self-signed certs
Enforce mutual auth via libp2p extension verification in secure_inbound / secure_outbound
Summary
python-v0.x x python-v0.xperf tests in libp2p/unified-testing fail on all TLS stacks with:Noise stacks pass; only TLS fails.
Reproduction
perf/, use local py-libp2p at51a50c80(main) or any commit including fix(tls): reject inbound connections that present no client certificate #1341../run.sh --impl-select python-v0.x \ --baseline-ignore "~baselines" \ --force-image-rebuild \ --timeout 900 \ --yes(tcp|ws) x (tls) x (yamux|mplex).Baseline repro: unified-testing perf pass
perf-08c8be91-132754-07-07-2026at py-libp2p51a50c80— 4/8 pass (noise only), 4/8 fail (TLS only).Root cause
After #1341, inbound TLS uses
ssl.CERT_OPTIONALinlibp2p/security/tls/transport.py(~line 146). This requests a client certificate and triggers OpenSSL PKIX verification. libp2p peers use self-signed identity certificates verified via the libp2p X.509 extension (libp2p TLS spec), not a CA chain.When the dialer presents its self-signed libp2p cert, the listener's OpenSSL stack rejects it with
TLSV1_ALERT_UNKNOWN_CAbefore post-handshake libp2p extension verification runs.Why unit tests pass
tests/core/security/tls/test_tls.pyandtests/utils/factories.pycalltrust_peer_cert_pem()before handshake — pre-loading peer certs as trusted CAs. Real interop (perf harness) does not and should not need this.Expected fix
Align with Go/rustls libp2p TLS:
secure_inbound/secure_outboundRelated
Environment
51a50c803e46a5247b71d368981f67e3db9eaf59