Arti 2.2.0: HTTP CONNECT support, RPC improvements and security

Key points:
  • The experimental feature to use the HTTP CONNECT protocol instead of SOCKS is now stable and enabled by default.
  • The remote procedure call library supports non-blocking requests and incorporates a superuser function for global administrative control.
  • The TROVE-2026-005 security patch addresses a vulnerability against denial-of-service attacks in environments without hardware AES acceleration.
  • Technical advances in the development of relay nodes, including inbound TLS authentication and RSA 2048 certificates for compatibility with the classic network.
  • Compilation improvements for the WebAssembly architecture and rewriting of the Chutney test scripts to the Python language.
David Y. NaranjoUpdated on

4 minutes

Arti 2.0.0 is here and brings order to the chaos. The Rust-based Tor cleans up its code, removes old configurations, and paves the way for future relays. An analysis of why this "2.0" is vital for the network.

The Tor Project has announced the availability of «Arti 2.2», the latest update to their network implementation written entirely in Rust.

This version features improvements in connectivity features which were in the experimental phase, introduces new administrative capabilities for developers and makes significant progress in the internal infrastructure needed to operate relay nodes in the future.

HTTP CONNECT connections and RPC improvements

Without a doubt, one of the most practical modifications that this new version presents is for the stabilization of support for the HTTP CONNECT protocol. This function It allows external applications to connect to the Tor network through an HTTP proxy. instead of the traditional SOCKS protocol. Starting with this update, the feature is enabled by default in the build and operates using the same network port as SOCKS. Routing flexibility also extends to outbound traffic, allowing clients to use external HTTP CONNECT proxies.

In the section on control and automation, library remote procedure call client (arti-rpc-client-core) has received a core library update, with It now handles non-blocking requests and integrates directly with application event loops.offering application programming interfaces (APIs) accessible from Rust, C, and Python. Additionally, the RPC ecosystem introduces a new superuser feature. This capability allows administrators to view and modify global parameters that affect the entire running Arti instance, overcoming the previous limitation that only allowed managing the isolated traffic of each application.

Security and development of relay nodes

In terms of technical security, the update It addresses the vulnerability documented as TROVE-2026-005This fault, categorized as having a low level of severity, slightly weakened the system's resistance to denial-of-service (DoS) attacks. The problem only manifested itself in unusual build configurations, specifically when an application embedded Arti by combining certain cryptographic dependencies on processors that lacked hardware acceleration for the AES standard.

Further development continues to focus on equipping Arti with the necessary tools to function as a middle relay node. The current code already allows nodes to successfully accept incoming TLS connections and perform handshakes (handshakes) to authenticate both to clients and to other nodes on the network. To overcome a documented compatibility issue in the classic Tor implementation (written in C), the developers have adjusted the TLS certificates in Arti to temporarily use 2048-bit RSA keys. At the same time, they have improved the tracking of network peer IP addresses and optimized signature verification in directory server documents.

WebAssembly and test optimization

The Developers have prepared the ground for future implementations In web browsers, multiple compilation warnings for the WebAssembly platform (wasm32-unknown-unknown) have been corrected. To ensure compatibility in these environments, all programming interfaces that handle time measurements have migrated to use the specialized web_time dependency.

The quality control environment has also improved considerably with the release of this new version. Now, the Test scripts based on the Chutney framework have been completely rewritten in Python to ensure better continuous integration.

Other notable changes include:

  • It was switched to a forked version of ssh-key with workarounds and bug fixes needed to support some legacy key types.
    The directory client logic now supports requesting documents with "additional information".
  • The key manager operations have been improved and refactored for better handling of relay certificates and related keys.
  • Internal documentation has been improved regarding what it means for a directory request to be "anonymized".

Finally, the internal IP geolocation database has been updated and the project managers have removed several restrictive security warnings from the official documentation that only applied to preliminary and obsolete versions of the software.

If you are interested in knowing more about it, you can consult the details In the following link.