Skip to content
GitLab
Closed
Issue created by David Goulet@dgoulet🐼Owner

hs-v3: Rotate intro points and close RP circuits when removing client auth service side

On the service side (only), when a client authorization is removed and then tor is HUP, right now the service notices that and re-upload a new descriptor containing that new auth.

However, the into points are most likely kept as is (if no normal rotation happened during re-build) which means that a revoked client can still access the service with their cached descriptor because the intro points are still valid...

Furthermore, the RP circuits for that client aren't closed.

Security wise, that is not ideal to have a "not really revoked client" ;). Fortunately, only applies to 0.3.5.1-alpha and onward so no need for a TROVE.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information