Hi, is there a way to disable support for SSL v2, SSL v3, TLS v1.0 and TLS v1.1 in Chia (i.e., chia_full_node and chia_farmer)?
I need to disable it to clean up vulnerabilities, namely, TLS Version 1.0 Protocol Detection | Tenable®.
TLS v1.2 and TLS v1.3 are OK.
Thanks, joe
a PR has been submitted to fix this on next release. Until then you could put it behind a reverse proxy / waf.
Are there any updates on this? My IT department just contacted me about this issue.
I will check out the current code branch
All those versions other than TLS 1.3 are needed only on a web server that expects (wants to support) connections from old devices (very old Android, Apple, Win phones). For Chia, it should be set just to TLS 1.3 (as the only devices using it are chia nodes). Everything else should be removed.
You probably won’t 1.2 for systems that don’t have 1.3 support.
Do you know whether openSSL library is bundled with Chia, or rather it depends on the system to provide it? (Yeah, I tried to use TLS 1.3 on CentOS 7, but it is not there. Still, I restricted everything to just 1.2 long time ago.)
Also, just restricting TLS versions is not good enough, as you would also want to restrict ciphers.