From 6d734ba22abad50cf8a304732ea6c02d8949cdd9 Mon Sep 17 00:00:00 2001 From: Earle Lowe Date: Fri, 20 Dec 2024 10:43:12 -0800 Subject: [PATCH] Update daemon specific option --- chia/daemon/server.py | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/chia/daemon/server.py b/chia/daemon/server.py index 1817434acab5..66d075485527 100644 --- a/chia/daemon/server.py +++ b/chia/daemon/server.py @@ -193,15 +193,23 @@ def __init__( async def run(self) -> AsyncIterator[None]: self.log.info(f"Starting Daemon Server ({self.self_hostname}:{self.daemon_port})") - # Note: the minimum_version has been already set to TLSv1_2 + # Note: the minimum_version has been already set to TLSv1_3 # in ssl_context_for_server() - # Daemon is internal connections, so override to TLSv1_3 only unless specified in the config - if ssl.HAS_TLSv1_3 and not self.net_config.get("daemon_allow_tls_1_2", False): - try: - self.ssl_context.minimum_version = ssl.TLSVersion.TLSv1_3 - except ValueError: - # in case the attempt above confused the config, set it again (likely not needed but doesn't hurt) - self.ssl_context.minimum_version = ssl.TLSVersion.TLSv1_2 + # Daemon is internal connections, so override to TLSv1_2 only if specified in the config + if self.net_config.get("daemon_allow_tls_1_2", False): + self.ssl_context.minimum_version = ssl.TLSVersion.TLSv1_2 + self.ssl_context.set_ciphers( + "ECDHE-ECDSA-AES256-GCM-SHA384:" + "ECDHE-RSA-AES256-GCM-SHA384:" + "ECDHE-ECDSA-CHACHA20-POLY1305:" + "ECDHE-RSA-CHACHA20-POLY1305:" + "ECDHE-ECDSA-AES128-GCM-SHA256:" + "ECDHE-RSA-AES128-GCM-SHA256:" + "ECDHE-ECDSA-AES256-SHA384:" + "ECDHE-RSA-AES256-SHA384:" + "ECDHE-ECDSA-AES128-SHA256:" + "ECDHE-RSA-AES128-SHA256" + ) if self.ssl_context.minimum_version is not ssl.TLSVersion.TLSv1_3: self.log.warning(