From 7c06c1399f1136a06880f42e7ec7805daad04b81 Mon Sep 17 00:00:00 2001 From: Earle Lowe Date: Fri, 20 Dec 2024 10:19:27 -0800 Subject: [PATCH 1/3] Set minimum to TLSv1.3 --- chia/server/server.py | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/chia/server/server.py b/chia/server/server.py index 1ff72c2214a5..5e35a7350763 100644 --- a/chia/server/server.py +++ b/chia/server/server.py @@ -58,19 +58,7 @@ def ssl_context_for_server( ssl_context = ssl._create_unverified_context(purpose=ssl.Purpose.CLIENT_AUTH, cafile=str(ca_cert)) ssl_context.check_hostname = False - ssl_context.minimum_version = ssl.TLSVersion.TLSv1_2 - ssl_context.set_ciphers( - "ECDHE-ECDSA-AES256-GCM-SHA384:" - "ECDHE-RSA-AES256-GCM-SHA384:" - "ECDHE-ECDSA-CHACHA20-POLY1305:" - "ECDHE-RSA-CHACHA20-POLY1305:" - "ECDHE-ECDSA-AES128-GCM-SHA256:" - "ECDHE-RSA-AES128-GCM-SHA256:" - "ECDHE-ECDSA-AES256-SHA384:" - "ECDHE-RSA-AES256-SHA384:" - "ECDHE-ECDSA-AES128-SHA256:" - "ECDHE-RSA-AES128-SHA256" - ) + ssl_context.minimum_version = ssl.TLSVersion.TLSv1_3 ssl_context.load_cert_chain(certfile=str(cert_path), keyfile=str(key_path)) ssl_context.verify_mode = ssl.CERT_REQUIRED return ssl_context From 6d734ba22abad50cf8a304732ea6c02d8949cdd9 Mon Sep 17 00:00:00 2001 From: Earle Lowe Date: Fri, 20 Dec 2024 10:43:12 -0800 Subject: [PATCH 2/3] Update daemon specific option --- chia/daemon/server.py | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/chia/daemon/server.py b/chia/daemon/server.py index 1817434acab5..66d075485527 100644 --- a/chia/daemon/server.py +++ b/chia/daemon/server.py @@ -193,15 +193,23 @@ def __init__( async def run(self) -> AsyncIterator[None]: self.log.info(f"Starting Daemon Server ({self.self_hostname}:{self.daemon_port})") - # Note: the minimum_version has been already set to TLSv1_2 + # Note: the minimum_version has been already set to TLSv1_3 # in ssl_context_for_server() - # Daemon is internal connections, so override to TLSv1_3 only unless specified in the config - if ssl.HAS_TLSv1_3 and not self.net_config.get("daemon_allow_tls_1_2", False): - try: - self.ssl_context.minimum_version = ssl.TLSVersion.TLSv1_3 - except ValueError: - # in case the attempt above confused the config, set it again (likely not needed but doesn't hurt) - self.ssl_context.minimum_version = ssl.TLSVersion.TLSv1_2 + # Daemon is internal connections, so override to TLSv1_2 only if specified in the config + if self.net_config.get("daemon_allow_tls_1_2", False): + self.ssl_context.minimum_version = ssl.TLSVersion.TLSv1_2 + self.ssl_context.set_ciphers( + "ECDHE-ECDSA-AES256-GCM-SHA384:" + "ECDHE-RSA-AES256-GCM-SHA384:" + "ECDHE-ECDSA-CHACHA20-POLY1305:" + "ECDHE-RSA-CHACHA20-POLY1305:" + "ECDHE-ECDSA-AES128-GCM-SHA256:" + "ECDHE-RSA-AES128-GCM-SHA256:" + "ECDHE-ECDSA-AES256-SHA384:" + "ECDHE-RSA-AES256-SHA384:" + "ECDHE-ECDSA-AES128-SHA256:" + "ECDHE-RSA-AES128-SHA256" + ) if self.ssl_context.minimum_version is not ssl.TLSVersion.TLSv1_3: self.log.warning( From 9621ed59c5ee78fa9b2a47d970ce47c0a0982d3f Mon Sep 17 00:00:00 2001 From: Earle Lowe Date: Fri, 20 Dec 2024 10:48:32 -0800 Subject: [PATCH 3/3] Remove deprecation warning --- chia/daemon/server.py | 9 --------- 1 file changed, 9 deletions(-) diff --git a/chia/daemon/server.py b/chia/daemon/server.py index 66d075485527..f08eed52b648 100644 --- a/chia/daemon/server.py +++ b/chia/daemon/server.py @@ -211,15 +211,6 @@ async def run(self) -> AsyncIterator[None]: "ECDHE-RSA-AES128-SHA256" ) - if self.ssl_context.minimum_version is not ssl.TLSVersion.TLSv1_3: - self.log.warning( - ( - "Deprecation Warning: Your version of SSL (%s) does not support TLS1.3. " - "A future version of Chia will require TLS1.3." - ), - ssl.OPENSSL_VERSION, - ) - self.state_changed_task = asyncio.create_task(self._process_state_changed_queue()) self.webserver = await WebServer.create( hostname=self.self_hostname,