Skip to content

arti-hyper: TLS connection failed when trying an HTTPS URL

The arti-hyper example (https://gitlab.torproject.org/tpo/core/arti/-/blob/f5effd320a454644d64d0e8c8c1d1ab84761b1ad/crates/arti-hyper/examples/hyper.rs) does not work on current main (f5effd32) when given an HTTPS URL:

$ git checkout f5effd320a454644d64d0e8c8c1d1ab84761b1ad
$ cd crates/arti-hyper
$ cargo run --example hyper -- https://icanhazip.com
starting Arti...
2022-09-04T19:54:57.229438Z  INFO tor_guardmgr::sample: Guard set loaded. n_guards=21 n_confirmed=2
2022-09-04T19:54:57.237013Z  INFO arti_client::client: We now own the lock on our state files.
2022-09-04T19:54:57.239330Z  INFO tor_guardmgr::sample: Guard set loaded. n_guards=21 n_confirmed=2
2022-09-04T19:54:58.584198Z  INFO tor_dirmgr: Didn't get usable directory from cache.
2022-09-04T19:54:59.928367Z  INFO tor_dirmgr::bootstrap: 1: Looking for a consensus.
2022-09-04T19:55:01.090663Z  INFO tor_chanmgr::builder: Negotiating TLS with n.n.n.n:n
2022-09-04T19:55:01.091109Z  INFO tor_chanmgr::builder: Negotiating TLS with n.n.n.n:n
2022-09-04T19:55:01.092413Z  INFO tor_chanmgr::builder: Negotiating TLS with n.n.n.n:n
2022-09-04T19:55:06.122710Z  INFO tor_chanmgr::builder: Negotiating TLS with n.n.n.n:n
2022-09-04T19:55:06.122864Z  INFO tor_chanmgr::builder: Negotiating TLS with n.n.n.n:n
2022-09-04T19:55:12.345777Z  INFO tor_dirmgr::state: The current consensus is fresh until 2022-09-04 20:00:00.0 +00:00:00, and valid until 2022-09-04 22:00:00.0 +00:00:00. I've picked 2022-09-04 20:54:39.780396203 +00:00:00 as the earliest time to replace it.
2022-09-04T19:55:12.345932Z  INFO tor_dirmgr::state: Marked consensus usable.
2022-09-04T19:55:12.352730Z  INFO tor_dirmgr::bootstrap: 1: Downloading microdescriptors (we are missing 452).
2022-09-04T19:55:14.279826Z  INFO tor_dirmgr: Directory is complete.
2022-09-04T19:55:14.279890Z  INFO tor_dirmgr: We have enough information to build circuits.
requesting https://icanhazip.com via Tor...
2022-09-04T19:55:14.744658Z  INFO tor_chanmgr::builder: Negotiating TLS with n.n.n.n:9001
2022-09-04T19:55:16.963074Z  INFO arti_client::client: Got a circuit for icanhazip.com:443
2022-09-04T19:55:17.752520Z  INFO tor_chanmgr::builder: Negotiating TLS with n.n.n.n:4080
2022-09-04T19:55:32.554301Z  INFO tor_circmgr: Flushed persistent state at exit.
Error: error trying to connect: TLS connection failed

Caused by:
    0: TLS connection failed
    1: connection closed via error

It however succeeds when running without arguments (cargo run --example hyper) which just hits http://icanhazip.com.

I did some digging through the history of this crate and found that even the commit that originally introduced TLS support also fails in this way:

$ git checkout c24c3af81ba4a5e899d8bda2a66c511a2c9ed504
$ cd crates/arti-hyper
$ cargo run --example hyper -- https://icanhazip.com
[ ... same output as above ... ]

The original PR author indicates that it worked on their machine: !355 (merged)

To try to suss out any issues with my machine, I've copied this example into a small crate and swapped tls_api_native_tls for tls_api-rustls and observed the same behavior.