35C3 TLS Workshop Notes
Welcome to the 35C3 Namecoin TLS Workshop, home of the code that first worked a few days ago. We’ll walk you through the steps below, feel free to follow along in this document.
Get a Namecoin lookup client
You only need one of ConsensusJ-Namecoin or Electrum-NMC. ConsensusJ-Namecoin requires x86 architecture (either 32-bit or 64-bit). Electrum-NMC requires Python 3.6 or higher.
ConsensusJ-Namecoin
Electrum-NMC
- https://www.namecoin.org/download/betas/#electrum-nmc (you want the v3.2.4b1 Beta)
Install a Namecoin lookup client
You only need one of ConsensusJ-Namecoin or Electrum-NMC.
ConsensusJ-Namecoin
- Install Java. In Debian, this can be done via
sudo apt-get install openjdk-8-jre
; in Fedora, usesudo dnf install java-1.8.0-openjdk
- In a dedicated terminal:
java -jar ./namecoinj-daemon-0.3.2-SNAPSHOT.jar --connection.proxyenabled=false --connection.streamisolation=false --server.port=8336 --namelookup.latest.algo=leveldbtxcache
- It’ll take a few minutes to sync.
Electrum-NMC
- Install Python3-PyQt5. In Debian, this can be done via
sudo apt-get install python3-pyqt5
; in Fedora, usesudo dnf install python3-qt5
./run_electrum_nmc setconfig rpcport 8336
./run_electrum_nmc setconfig rpcuser whateverusernameyouwant
./run_electrum_nmc setconfig rpcpassword whateverpasswordyouwant
- In a dedicated terminal:
./run_electrum_nmc
- Choose “Select server manually” and click “Next”
- Use server “ulrichard.ch”, port 50006, then click “Next”
- Create a Standard wallet with a Legacy seed type; use whatever other settings you like.
- Once the setup wizard finishes, click “Tools” -> “Network”, and check that the block count next to “Blockchain” matches the one listed next to each “Connected node”. It might take some time to sync, if it’s not fully synced yet, feel free to move onto the next step while it syncs.
./run_electrum_nmc daemon load_wallet
For both ConsensusJ-Namecoin and Electrum-NMC
- Test lookups with
curl --data-binary '{"id":"curltext","method":"name_show","params":["d/ca-test"]}' http://whateverusernameyouwant:whateverpasswordyouwant@127.0.0.1:8336
; it should show some JSON that includes an IP address.
Get ncdns
Binary downloads
Build from source
- Install Go: https://golang.org/dl/
go get -d github.com/namecoin/ncdns/...
go generate github.com/namecoin/ncdns/...
go get github.com/namecoin/ncdns/...
Install ncdns
If you’re using Electrum-NMC
- Create
ncdns.conf
in the directory where ncdns is, and fill in the following, substituting your Electrum-NMC username and password:[ncdns] bind="127.0.0.1:5391" namecoinrpcusername="whateverusernameyouwant" namecoinrpcpassword="whateverpasswordyouwant" [xlog] severity="debug"
If you’re using ConsensusJ-Namecoin
- Create
ncdns.conf
in the directory where ncdns is, and fill in the following, using any username and password that you like:[ncdns] bind="127.0.0.1:5391" namecoinrpcusername="whateverusernameyouwant" namecoinrpcpassword="whateverpasswordyouwant" [xlog] severity="debug"
For either Electrum-NMC or ConsensusJ-Namecoin
- Install socat; in Debian, this can be done via
sudo apt-get install socat
- In a dedicated terminal:
./ncdns
- In a dedicated terminal:
sudo socat tcp-listen:53,fork tcp:127.0.0.1:5391
- In a dedicated terminal:
sudo socat udp-listen:53,fork udp:127.0.0.1:5391
- To test:
./q @127.0.0.1 ca-test.bit
; it should return an IP address. If it times out, try again (Electrum-NMC can be especially slow). - You can switch your OS’s DNS to 127.0.0.1 now if you like. Note that this will prevent resolving non-Namecoin domains, so you’ll want to switch it back to what it was before if you want to access non-Namecoin domains.
Get dns-prop279
Only needed if you want to use Tor Browser over Tor.
Binary downloads
Included in ncdns binary downloads; see above.
Build from source
go get github.com/namecoin/dns-prop279
Install dns-prop279
- See instructions at https://www.namecoin.org/docs/tor-resolution/#install-torns .
Get certdehydrate-dane-rest-api
Binary downloads
- https://www.namecoin.org/files/certdehydrate-dane-rest-api/master-2018-12-22/certdehydrate-dane-rest-api-HEAD-linux_386.tar.gz
- https://www.namecoin.org/files/certdehydrate-dane-rest-api/master-2018-12-22/certdehydrate-dane-rest-api-HEAD-linux_amd64.tar.gz
- https://www.namecoin.org/files/certdehydrate-dane-rest-api/master-2018-12-22/certdehydrate-dane-rest-api-HEAD-linux_arm64.tar.gz
- https://www.namecoin.org/files/certdehydrate-dane-rest-api/master-2018-12-22/certdehydrate-dane-rest-api-HEAD-linux_arm.tar.gz
- https://www.namecoin.org/files/certdehydrate-dane-rest-api/master-2018-12-22/certdehydrate-dane-rest-api-HEAD-linux_ppc64le.tar.gz
- https://www.namecoin.org/files/certdehydrate-dane-rest-api/master-2018-12-22/certdehydrate-dane-rest-api-HEAD-linux_ppc64.tar.gz
Build from source
- Install Go: https://golang.org/dl/
go get github.com/namecoin/certdehydrate-dane-rest-api
- If you get an error mentioning miekg/dns, then do this:
pushd $(go env GOPATH)/src/github.com/miekg/dns; git checkout v1.0.15; popd
and then try again.
Install certdehydrate-dane-rest-api
- In a dedicated terminal,
./certdehydrate-dane-rest-api
- If you haven’t already switched your OS’s network settings to use DNS
127.0.0.1
, do so now to test. - You can test it by running
curl http://127.0.0.1:8080/lookup?domain=ca-test.bit
; it should show a base64-encoded certificate. - If you want, you can restore your DNS settings to the default until we’re ready to test ncp11.
Get ncp11
Binary downloads
Only available for amd64; if you’re on another arch, you’ll need to build from source.
Build from source
- Install the
libltdl
development headers. On Debian, this can be done viasudo apt-get install libldtl-dev
- Install Go: https://golang.org/dl/
go get -d github.com/namecoin/ncp11
cd $(go env GOPATH)/src/github.com/namecoin/ncp11
make
; if you get an error about constants overflowing ints, runpushd $(go env GOPATH)/src/github.com/miekg/pkcs11; git remote add JeremyRand https://github.com/JeremyRand/pkcs11; git fetch JeremyRand; git checkout JeremyRand/32bit-hack; popd
and then try again.
Install ncp11
- Build ncp11 from source (see above) or download binaries from Namecoin.org.
- Install certdehydrate-dane-rest-api and make sure that it’s running. (You’ll probably want to set it to launch automatically on boot.)
- Follow the instructions below for your desired TLS implementation:
Generic NSS (Anything that uses the shared NSS trust store, e.g. Chromium)
sudo make install
- Find the
libnssckbi.so
file that shipped with NSS. You can easily search for it viafind /usr/ -name libnssckbi.so
. Commonly found locations include/usr/lib64/nss/libnssckbi.so
(on Fedora for amd64) and/usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
(on Debian for amd64). - Copy
libnssckbi.so
to/usr/local/namecoin/libnssckbi-namecoin-target.so
. For example,sudo cp /usr/lib64/nss/libnssckbi.so /usr/local/namecoin/libnssckbi-namecoin-target.so
. make nss-shared-install
You’ll need to restart your NSS-using programs (e.g. Chromium) if you want them to notice that ncp11 is installed.
Remember to re-copy libnssckbi.so
whenever NSS is upgraded on your system!
TODO: If it breaks, use the Tor Browser method.
Firefox
sudo make install
- Find the
libnssckbi.so
file that shipped with Firefox. You can easily search for it viafind /usr/ -name libnssckbi.so
. Commonly found locations include/usr/lib/firefox-esr/libnssckbi.so
(on Debian Stretch). Some operating systems (e.g. Fedora, and Debian Buster) don’t ship an NSS that’s specific to Firefox and instead make Firefox use the system NSS; if you’re on such an OS, use the systemlibnssckbi.so
. - Copy
libnssckbi.so
to/usr/local/namecoin/libnssckbi-namecoin-target.so
. For example,sudo cp /usr/lib/firefox-esr/libnssckbi.so /usr/local/namecoin/libnssckbi-namecoin-target.so
. make nss-firefox-install
Note that it’s a very bad idea to install both Generic NSS and Firefox support at the same time, because the copied libnssckbi.so
instances will conflict. However, if your OS’s Firefox package uses the system NSS (e.g. Fedora or Debian Buster), then it’s totally fine to install both simultaneously (since the libnssckbi.so
files are identical).
You’ll need to restart Firefox if you want it to notice that ncp11 is installed.
Remember to re-copy libnssckbi.so
whenever NSS is upgraded on your system!
TODO: If it breaks, use the Tor Browser method.
Tor Browser
- Make sure that Tor Browser isn’t currently running.
- Rename
libnssckbi.so
in the Tor BrowserBrowser
directory tolibnssckbi-namecoin-target.so
. - Copy
libnamecoin.so
from ncp11 to the Tor BrowserBrowser
directory. - Rename
libnamecoin.so
in the Tor BrowserBrowser
directory tolibnssckbi.so
.
You can now start Tor Browser.
Remember to re-do these steps whenever Tor Browser is upgraded on your system!
Bonus content: Get generate_nmc_cert
TODO