Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CHIA-2102 - Set minimum to TLSv1.3 #19079

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 15 additions & 16 deletions chia/daemon/server.py
Original file line number Diff line number Diff line change
Expand Up @@ -193,23 +193,22 @@ def __init__(
async def run(self) -> AsyncIterator[None]:
self.log.info(f"Starting Daemon Server ({self.self_hostname}:{self.daemon_port})")

# Note: the minimum_version has been already set to TLSv1_2
# Note: the minimum_version has been already set to TLSv1_3
# in ssl_context_for_server()
# Daemon is internal connections, so override to TLSv1_3 only unless specified in the config
if ssl.HAS_TLSv1_3 and not self.net_config.get("daemon_allow_tls_1_2", False):
try:
self.ssl_context.minimum_version = ssl.TLSVersion.TLSv1_3
except ValueError:
# in case the attempt above confused the config, set it again (likely not needed but doesn't hurt)
self.ssl_context.minimum_version = ssl.TLSVersion.TLSv1_2

if self.ssl_context.minimum_version is not ssl.TLSVersion.TLSv1_3:
self.log.warning(
(
"Deprecation Warning: Your version of SSL (%s) does not support TLS1.3. "
"A future version of Chia will require TLS1.3."
),
ssl.OPENSSL_VERSION,
# Daemon is internal connections, so override to TLSv1_2 only if specified in the config
if self.net_config.get("daemon_allow_tls_1_2", False):
self.ssl_context.minimum_version = ssl.TLSVersion.TLSv1_2
self.ssl_context.set_ciphers(
"ECDHE-ECDSA-AES256-GCM-SHA384:"
"ECDHE-RSA-AES256-GCM-SHA384:"
"ECDHE-ECDSA-CHACHA20-POLY1305:"
"ECDHE-RSA-CHACHA20-POLY1305:"
"ECDHE-ECDSA-AES128-GCM-SHA256:"
"ECDHE-RSA-AES128-GCM-SHA256:"
"ECDHE-ECDSA-AES256-SHA384:"
"ECDHE-RSA-AES256-SHA384:"
"ECDHE-ECDSA-AES128-SHA256:"
"ECDHE-RSA-AES128-SHA256"
)

self.state_changed_task = asyncio.create_task(self._process_state_changed_queue())
Expand Down
14 changes: 1 addition & 13 deletions chia/server/server.py
Original file line number Diff line number Diff line change
Expand Up @@ -58,19 +58,7 @@ def ssl_context_for_server(

ssl_context = ssl._create_unverified_context(purpose=ssl.Purpose.CLIENT_AUTH, cafile=str(ca_cert))
ssl_context.check_hostname = False
ssl_context.minimum_version = ssl.TLSVersion.TLSv1_2
ssl_context.set_ciphers(
"ECDHE-ECDSA-AES256-GCM-SHA384:"
"ECDHE-RSA-AES256-GCM-SHA384:"
"ECDHE-ECDSA-CHACHA20-POLY1305:"
"ECDHE-RSA-CHACHA20-POLY1305:"
"ECDHE-ECDSA-AES128-GCM-SHA256:"
"ECDHE-RSA-AES128-GCM-SHA256:"
"ECDHE-ECDSA-AES256-SHA384:"
"ECDHE-RSA-AES256-SHA384:"
"ECDHE-ECDSA-AES128-SHA256:"
"ECDHE-RSA-AES128-SHA256"
)
ssl_context.minimum_version = ssl.TLSVersion.TLSv1_3
ssl_context.load_cert_chain(certfile=str(cert_path), keyfile=str(key_path))
ssl_context.verify_mode = ssl.CERT_REQUIRED
return ssl_context
Expand Down
Loading