update discussion of Twisted rekeying bug

[Imported from Trac: page SftpFrontend, version 84]

SftpFrontend.md

@@ -26,9 +26,11 @@ Deleting a directory via the SFTP frontend will not check that it is empty. The
 
 The '`ctime`' and '`mtime`' attributes will always be the same, and are set from the Tahoe `linkmotime` timestamp, which is changed only when the link from the parent directory is modified (see the ['About the metadata' section of webapi.rst](http://tahoe-lafs.org/trac/tahoe-lafs/browser/docs/frontends/webapi.rst#about-the-metadata)). These fields are not updated when the contents of a mutable file are changed. The SFTP protocol and the server are able to represent dates up to the year 2106, but some clients may print dates incorrectly after 2037.
 
-Versions of Twisted before 11.0 have [a bug in support for rekeying](http://twistedmatrix.com/trac/ticket/4395). This might cause a hang or 100% CPU usage by the gateway when a client tries to rekey. Depending on the client, rekeying may be triggered based on a time interval or the amount of data sent (for example, 1 GiB to 4 GiB for the openssh client); this problem will typically only affect long-lived connections or very large files. Some clients have options to disable rekeying:
+Versions of Twisted before 11.0 have [a bug in support for rekeying](http://twistedmatrix.com/trac/ticket/4395). This might cause a hang or 100% CPU usage by the gateway when a client tries to rekey. Depending on the client, rekeying may be triggered based on a time interval or the amount of data sent (for example, 1 GiB to 4 GiB for the openssh client), so this problem may not happen immediately when testing. Tahoe-LAFS v1.10 will require Twisted >= 11.0 to avoid this problem; in the meantime, we recommend that you either:
-* for OpenSSH and sshfs, either use the option `-o [RekeyLimit](RekeyLimit)=0`, or add the line `RekeyLimit=0` to `~/.ssh/config` (TODO: please test this!)
+* Install Twisted 11.0 or later manually (if it is not already installed), or
-* for WinSCP, [#WinSCP see that section below].
+* Use an option in your client to disable rekeying. For example in WinSCP, in the Key exchange section of the options under SSH, set both 'Max minutes before rekey' and 'Max data before rekey' to 0. Note that OpenSSH and sshfs do not seem to have an option to do this that works, contrary to what a previous version of this page said.
+
+Disabling rekeying [might introduce cryptographic weaknesses](http://winscp.net/eng/docs/ui_login_kex#reexchange), so updating Twisted is the preferred solution.
 
 
 # Unicode filenames
@@ -68,7 +70,7 @@ If a file in a mutable directory is closed concurrently with an operation that n
 
 A POSIX application might assume that deleting a non-empty directory will fail, when it does not on a Tahoe filesystem (#1362).
 
-To avoid potential bugs with rekeying, either use the `-o [RekeyLimit](RekeyLimit)=0` option to `sshfs`, or add the line `RekeyLimit=0` to `~/.ssh/config`.
+To avoid potential bugs with rekeying, check that the version of Twisted shown by `tahoe --version-and-path` is at least 11.0. If not, install a more recent version of Twisted. This will not be an issue for Tahoe-LAFS v1.10 or later.
 
 To unmount an sshfs filesystem, make sure you are in the `fuse` group (if necessary use "`sudo adduser `whoami` fuse`"), and then do "`fusermount -u mountpoint`".
 
@@ -107,7 +109,6 @@ In the WinSCP Login dialog, the following options need to be set (some require '
 
 ** In the Environment section, set 'UTF-8 encoding for filenames' to 'On'.
  * In the Connection section, set 'Server response timeout' to the maximum 6000 seconds.
- * In the Key exchange section under SSH, set both 'Max minutes before rekey' and 'Max data before rekey' to 0.
  * Use '127.0.0.1' instead of 'localhost' if WinSCP says the connection has been refused. It sometimes tries connecting to [*  
 1] (IPv6 localhost), where tahoe does *not* listen.